I think such a split is already the default setup: The WAN interface refers to the first (eth0) port, and the LAN interface is a bridge for the other ports (eth1–eth4).
Thus I wonder if I need a VLAN? Can I use the default setup (by only tweaking the firewall settings)?