Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?
choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look.
I aim for Wifi-5 (ac) at least, and I would like to have WPA3.
So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.
However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).
You don't have to have a power point by the AP with POE injectors, they just need to be in the line to the AP somewhere.
One other thing that needs to be remembered here, once you have one managed switch, anywhere else on the wired network will also require managed switches, unless you can set the vlan ID on each endpoint, not all NICs support that.