Untrusted device advice?

[DHR]

I'm new to OPNsense but I'm trying to figure how best to structure my new network.

I have a typical home environment with multiple IoT devices examples being:-

• Philips Hue Bridge connected via ethernet
• Hikvision CCTV connected via powerline adaptor/ethernet
• Hive Heating connected via ethernet
• YiHome Cameras connected via wifi

...to name but a few.

High level, I wish to give these devices the room they need to work, without having everything on a flat network. Trick is some such as the CCTV are accessed via mobile phones, both on and off the local wifi.

I'm assuming the easiest way is to use VLANs and pickup a layer 3 switch and some new wireless kit? Am I thinking along the correct lines here?

• VLAN 11 - Wired IOT devices plugged into tagged ports on switch?
• VLAN 12 - Wireless IOT devices are added to the network connecting to a dedicated iot SSID which is on a VLAN?
  
• VLAN13 - Trusted devices
• VLAN14 - Guest devices

The key is that mobile phones on the trusted devices network can still access the services provided by the cloud IOT devices such as the hue bridge, and YiHome cameras etc.