tag

Johnny 5 needs more input.

Is your wifi network for your iot devices only existing on a single vlan?

I'd put that vlan on its own subnet and route all that traffic out your vpn gateway/tunnel.

You can test it by simply adding a machine to the network and put it on that subnet and see if the traffic works. If that works then you can focus on the wifi part.

Its a fairly common setup. I do that with fabrication robots and equipment. They are all isolated on their own vlan/subnet including their own SSID and then they get routed to wherever on the core router. The firewall just clamps down on what kind of traffic they are allowed to send.

Is the VPN on its own vlan? You might try that and just route from one vlan to the next.

We use Cisco for everything so I'm not sure what your commands would be. You wouldn't really need firewall rules unless you were trying to filter types of traffic

There should be options in there to only allow certain SSIDs to exist on certain vlans.

So make a vlan with subnet 172.16.0.0/24 or whatever and put all your iot stuff on there. Then a simple route that says route all that traffic to the IP of your VPN gateway. You may have to put the VPN gateway on its own vlan and subnet if you can't get the routing to work.

Don't overthink it.

You can also route based on specific destination if all your iot devices are trying to get to the same IP.

Think of it like legos and make sure each part does what its supposed to before trying to put them all together.