Hi there.
I have MT connecten via WAN port on internal network.
Main network: 192.168.1.x (main router/gateway: 192.168.1.252)
MT's network: 192.168.111.x (MT's IP: 192.168.111.111)
MT's wifi (hotspot) network: 192.168.222.x (MT's wifi hotspot ip: 192.168.222.111)

I want to isolate 192.168.1.x from MT's 192.168.222.x/192.168.111.x). MT's gateway on WAN port is 192.168.1.252.
I've created VLAN for MT's lan ports + wifi. Yet that seem not to do the job (perhapse because main network has no vlan @ all). Is VLAN actually a solution on this (without any changes on main network)?
For now I've just created a simple firewall rule: But perhapse it would be better to separate traffic on interface layer instead?

If you can't or don't want to do anything with main router, VLAN won't help you, if MT's WAN port is still connected to main network as it is now. Firewall filter is good enough, nothing will pass from other networks to main one, as long as you (or anyone else with access to MT) don't disabled it or don't allow access with some other rule(s).

If that's the only reasonable solution I'm ok with it...
My main concern is to secure unauthorised access via wifi. So my MT's wifi works in 'hotspot' mode with additional web login as a 2nd line of defense :P
Also all inputs from wifi to MT itself are dropped. That should be enough for now.