Firewall: entirely up to you. Depends on how much separation/granular control you'd like
For 2:
Create the wireless networks in LuCI, and then bridge them to the appropriate interface (Network > Interfaces); either your lan interface, or one of your vpn interfaces. Some screenshots that may help can be found here:
For 3:
You need to create VLANs and configure your switch. You said you wanted LAN1 and LAN2 to route over your ISP connection; LAN3 over one VPN connection; LAN4 over the other. There are plenty of forum posts that cover this topic (e.g. Replicating a VLANs scenario - #2 by lleachii), but (very) roughly you'll need to do something like this:
- Assign one VPN to VLAN3 and the other to VLAN4.
Then, for your switch config:
- Create VLANs 3 & 4
- VLAN1: turn off LAN3 and LAN4
- VLAN2: turn off LAN3 and LAN4
- VLAN3: CPU must be tagged; LAN1 off, LAN2 off, LAN3 untagged, LAN4 off
- VLAN4: CPU must be tagged; LAN1 off, LAN2 off, LAN3 off, LAN4 untagged