Put those devices in different VLANs + give them ULA addresses + don’t implement NAT = No internet access for them.