If you are on wire you can guarantee your efforts will work. Even on Wifi, It's generally easiest to assign or hard code the IP address for the device in question and simply create a rule blocking outbound for the device. With Wifi make sure the device is not using a floating mac address, and assign it trivial on every cheapo router I've ever dealt with. I had some camera's:
View attachment 229810
That liked to phone home. I actually blocked everything that desired to use the iLink service. It's easy enough to build a rule as granular as you want on even many of the cheap firewalls, just create a rule <ip of device> to <0.0.0.0/0> dis-allow.
Most of the more modern cheapo firewalls will let you leave the rule and allow you to disable/enable it, so if you needed it to get out for maintenance, you disable the rule, do what you gotta, then re-enable the rule.
VLANS and all that is a little overkill for a home network. I run about 4 VLANS, but I have a complex setup with multiple ISP's and failover, and I'm running some of the external lans over the same switch gear, because I do a lot of testing and cruft, with multiple IPSEC and, BGP, and ...\
Summary: Force the gear onto a specific IP address with a MAC assignment or code on the device. Put a rule on your firewall to control that IP. Don't over-complicate it.
