I don’t use the default VLAN (VLAN1) on my network; I have one port assigned to VLAN1 on my ER-X, which I can plug into for management access to the ER-X. Everything else is on its own VLAN.
I created a few VLANs on my ER-X, and then used simple firewall rules to deny or permit access from one VLAN to the next as needed.
So:
VLAN1 = Unused, assigned to 1 port on ER-X for management. Untagged.
VLAN2 = PCs, phones, etc.
VLAN3 = Smart TVs, other smart devices.
VLAN4 = Guest network.
With that said, your plan would also work.
Add VLAN2 for your kid’s devices.
Add your NAT rules for internet access.
Add Firewall rules to prevent access between VLANs.
Add Firewall rules to allow access from your kid’s network to printer.
Trunk port to your access point, as you indicated in your diagram.
Separate SSID for your kid’s WiFi stuff, tied to their VLAN.
Access port for your kid’s hard-wired devices.
I don’t use the default VLAN (VLAN1) on my network; I have one port assigned to VLAN1 on my ER-X, which I can plug into for management access to the ER-X. Everything else is on its own VLAN.
I created a few VLANs on my ER-X, and then used simple firewall rules to deny or permit access from one VLAN to the next as needed.
So:
VLAN1 = Unused, assigned to 1 port on ER-X for management. Untagged.
VLAN2 = PCs, phones, etc.
VLAN3 = Smart TVs, other smart devices.
VLAN4 = Guest network.
With that said, your plan would also work.
Add VLAN2 for your kid’s devices. Add your NAT rules for internet access. Add Firewall rules to prevent access between VLANs. Add Firewall rules to allow access from your kid’s network to printer. Trunk port to your access point, as you indicated in your diagram. Separate SSID for your kid’s WiFi stuff, tied to their VLAN. Access port for your kid’s hard-wired devices.