UPNP HOTLAN access only

I have been reading about UPNP vulnerabilities and I can see issues with the protocol. I was wondering what is the best approach to mitigate the risks. My network runs with virtualized servers and can be configured with as many LAN's and/or HotLAN's that I wish to have, I also have VLAN capabilities across my Switches and WIFI AP's.. For this setup (Home) I would prefer to only use one gateway.

I was thinking possibly moving all the appliances that uses UPNP to the HOTLAN and if needed open the ports to the appliances that require access to the LAN or would it be equivalent to have a second LAN setup for these appliances? It would be less work running the appliances on a second LAN but I am not sure if the vulnerability includes the traversal to other LAN'S? I believe that would be unlikely but not sure? Anyone's input would be appreciated.

What would be the best approach to the modification of CLearOS miniupnp for the above? Would it be to modify miniupnpd.conf permission rules? For the HOTLAN approach: modify the permission rules or exclude manually the LAN in the configuration file: init_clearos.sh ?