The protected VLAN needs to be able to talk to the IOT VLAN. So to answer your question; you don’t need to open specific ports, just allow traffic to the devices on that IOT VLAN and NOT the other way around.
sorry, I am still a bit confused after browsing all the discussions here, may be I need to re-read every post in more details
My question is that if I set up vLan, do I need to switch Wifi to Vlan from my main SSID into order to access the IOT? also do I have to switch all hubs (including Apple TV last Ethernet version) to vLan too, then my iPhone , iPad have to be on same Vlan to access Apple TV, such as using the remote app?
Appreciate any advice on the above
I always value your view when it comes to networking and IOTs. Thanks for the very informative insight. And I have guessed, Vlan is something too complex for me to implement. Will try to follow your suggestions above
You must have been there a long time ago…. 
A VLAN is simply another type of VPN; the same way a GRE tunnel is. VLANs, VXLAN, BGP EVPN blah blah blah are still very much alive and well. Simply put, these technologies are put in place to make it easier to deploy policy…
Fair enough. Just remember, most of the cloud services that you consume have security, segmentation, policy enforcement based on VLANS (VPC’s, etc.). I never said that a VLAN makes you “secure”, but a VLAN or some type of VLAN is absolutely used as a mechanism to help implement security policy. We can agree to disagree, but the facts are what they are. I do this daily….
An interesting thread - especially as I recently purchased the latest Synology router specifically to put my IOT devices on to a separate VLAN (having failed to successfully use the TP-Link Omada router and software based controller).
I believe that I’ve separated off my devices from my main network, but can still access the IOT devices via the firewall implementation that Synology suggests.
However, I have found the ability to set different DNS settings for the router to be very helpful and have the IOT network using NextDNS.
I think there are limits on the here in the UK (i.e. I don’t think it’s legal), though I could be mistaken.
I think the difference between the Synology (and other prosumer units) is that I can set a different DNS per network - the cheaper Netgear router I had previously allowed me to set my own DNS, but that applied to all web traffic, regardless of whether it was on my main wifi, or my guest network.
My Pi-Hole uses a mix of Cloudflare and OpenDNS, whilst the IOT network uses NextDNS.