*first time poster, occasional reader for some time. Not really sure where to post this, so I choose the misc section :)

Poor throughput, coupled with corona and work from home forced me (a.k.a. the wife made an ultimatum) to re-do my home wiring.
Traditionally I had my 1490 connected directly to the modem, used it as a gateway, DHCP, wireless AP, hotspot for guests, and everything else applicable for a home of a half-nerd. Regardless of product specs for the 1490, I barely managed to get over 30mpbs throughput, often coupled with random losses of connectivity.
For the longest time I was convinced this is the limitation of my ISP (I live in Germany and 1998 speeds&quality are common here), but to please the wife, I went out and bought a TPlink home router to take care of the internet and wireless printing. (it's also when I realised my internet speeds can actually get over 100Mbps).
Our place is also full of IoT stuff. Regardless of how useful I find them, I don't trust them and do not want to have them in the same network as the rest of my computers. Besides IoT, there's also a couple of NAS's which I would like to separate from the rest of the environment. All this gives me a reason to continue geeking out with my 1490 without having to worry about wife complaining about Netflix taking forever to load :)

At the end of the day, this is how I would like my network topology to look like
Click image for larger version. 

Name:	Screenshot 2021-10-01 at 20.37.54.jpg 
Views:	432 
Size:	46.2 KB 
ID:	1461
I'd like the whole network to be one /24 and CP sitting in between the IoT and the rest of the network.

I'd like the IoT to be available from the rest of the network, but I don't want the rest of the network to be available for IoT (i.e. I can ping the lightbulb, but the lightbulb can't ping me).

So far I've set up the 1490 in bridge mode (br0 - WAN and LAN1_switch), with DHCP relay enabled and things get internet connectivity (yay!).
Played around, I also enabled DHCP on both TPlink and CP, TP being limited to a smaller set between .50-.70 and CP .200-.240.

Managing the security policy based on what's internal traffic and what's external get's a bit tricky, hence I am opening this thread here.

Is there a better operating mode than a bridge to achieve the desired scenario?
Any comment, suggestion, concern will be greatly appreciated.