diff --git a/ansible/roles/openwrt/tasks/wireless.yml b/ansible/roles/openwrt/tasks/wireless.yml
index 568af9a..2e57f8c 100644
--- a/ansible/roles/openwrt/tasks/wireless.yml
+++ b/ansible/roles/openwrt/tasks/wireless.yml
@@ -25,6 +25,12 @@
       network: iot
       mode: ap
       ssid: szafa
+      hidden: '1' # Stop broadcasting SSID
+      macfilter: allow # Apply MAC filter allowing only specific addresses
+      maclist:
+        - 80:64:7c:99:21:20 # Thermomether
+        - C0:F8:53:89:E5:EF # Smart plug
+        - C0:F8:53:89:E3:42 # smart plug
       encryption: psk2
       key: "{{ openwrt_iot_wifi_password }}"
       disabled: '0'
diff --git a/docs/network.md b/docs/network.md
index d498cfe..3a2f5df 100644
--- a/docs/network.md
+++ b/docs/network.md
@@ -50,7 +50,7 @@ Network is divided to multiple VLANs to enforce strict access control rules usin
   Internet access only<br>
   IP: 192.168.5.0/24 / 2001:470:61a3:a::/64<br>
   Gateway: 192.168.5.1 / 2001:470:61a3:a:ffff:ffff:ffff:ffff<br>
-  DHCP / SLAAC, accessible via separate WiFi network "szafa" from D-Link for absolutely untrusted Tuya and like devices
+  DHCP / SLAAC, accessible via separate, hidden WiFi network "szafa" from D-Link with strict MAC filtering for absolutely untrusted Tuya and like devices
 - 6: Internet access for OpenWRT<br>
   Internet access only<br>
   IP: 192.168.6.0/24 / 2001:470:61a3:600::/64<br>