VLAN configuration on a "smart" switch for a guest WiFi network

[+Fahim S. 1,085]

So I finally got round to buying a proper access point (Unifi nanoHD), which is capable of having multiple SSIDs, mapped to VLANs.  I have a "smart" switch (TP-Link TL-SG2008), and a PFSense based firewall (SG2220).

 

Assuming that:

1) The AP is connected to the switch on port 1

2) The firewall is connected to port 8

3) There a bunch of other "trusted" devices on the other 6 ports.

4) I want my "trusted" network to run on VLAN 11.

5) I want my "untrusted" network to run on VLAN 99.

 

Is it right that I?

Set up a "trusted" SSID on the AP, which is on VLAN 11.

Set up an "untrusted" SSID on the AP, which is on VLAN 99.

Set up port 1 on my switch to preserve VLANs

Set up port 8 on my switch to preserve VLANs

Set up ports 2 through 6 to tag packets on entry with VLAN 11 and strip VLANs on the way out

 

Does anyone know how to achieve the configuration on my particular switch?

Also what changes do I need to make to pfSense to treat the VLANs as logical interfaces, each with their own subnet, DHCP ranges, internet access and prevent any routing between them?

 

Is there a specific sequence I need to do this all in so I don't lose connectivity to the various components whilst I make the changes?

[+BudMan 3,430]

Any time - if you have any questions on pfsense, just ask.. Happy to help..