How do you intent to secure your VLAN? Having VLAN won't directly increase security as you will have to deal with ACL for inter-VLAN traffic.

On top of that you have to do IP address planning (not difficult for your network size), first hop security and documenting all of them down. As someone mentioned, you will also likely not able to use IPv6.

My suggestion:
- You don't need 2 routers. Based on your network, you can even use TM provided router.
- Buy a switch that can do Port Isolation. Basically you just set all the port to isolated, except the port to router and maybe network printer. Using this method, you don't need to do IP address planning, IPv6 will work and no ACL needed.
- Make sure your switch has a dedicated management port. In case you got hacked, it is not possible to remove the Port Isolation setting.
- Buy Wi-Fi AP that support client isolation as well and just enable them for everyone. You may put your AP on different VLAN without port isolation. This is so that the controller / master can see each other. This protects the management interface from being accessed. Also protects inter-AP traffic from being sniffed / poisoned.
- If you decided to buy a router, make sure it can be configured with a management port as well. This way, nobody can mess with it without physical access.

Outcome:
- All devices on the network will not be able to see each other
- In the event any of the device got hacked, they will only see the router and the network printer. Nothing else!
- Security is enforced by switch chip and cannot be bypassed without physical access to management port
- In the event you have an insider attack trying to mess with your network port, you are still secure (different story if they have physical access to the switch)
- Port Isolation is known to protect against all L2 attack without the need of expensive switch to provide First Hop Security (need additional configuration on top of inter-VLAN ACL)

Assumption:
- Since you don't have any server, I assume you don't intent to connect directly to each other. If you decide to add server later on, just group them in their own VLAN.
- You use managed services like Google Workspace, Office 365 SharePoint, etc, which are all in the cloud.
- Don't depend on perimeter security. Do zero trust as much as possible

This post has been edited by kwss: May 29 2024, 02:31 AM