I have two routers (let's call them main and PoE), a PoE switch and 3 PoE powered security cameras. The PoE router and the security cameras are all connected to the PoE switch.
I already set up fast roaming (without VLAN) for the two routers. I'd like to add VLANs to move the security cameras (and some other WiFi IoT devices) to a local-only VLAN.
Is this possible if with a single PoE switch?
My concern is that the physical port connecting the two switches would need to be "tagged", but the cameras would need to be assigned to port(s) for a specific VLAN and be "untagged". Is my understanding correct?
You can do some logical segregation like 2 IP configuration sets like cameras go to separate subnet, but for real isolation you need a smart switch that supports VLAN-s
it is possible. I run the similar setup at my home with VLANs over unmanaged switches. You need to be more astute about how you configure network devices as you cannot configure the switch but otherwise you can achieve the desired outcome as you described.
This is true sometimes and with some potentially serious caveats. It's bad practice to use an unmanaged switch with VLANs, and IMO it's not worth it.
The behavior of tagged VLANs through an unmanaged switch is undefined and thus may or may not work properly. In the best case, the tags just flow through without issue. In some cases, though, the switch can choke or do other really strange things that can actually bring down an entire network.
There is no way to control the VLAN-port membership. What this means is that all VLANs will exist on all ports. This can create security issues.
There is no way to create access ports or change the tagging status of any given VLAN. Whatever is on the uplink in terms of the untagged and tagged VLANs will remain the same on all ports.
Most end-devices (computers, game consoles, iot devices, etc.) are not VLAN-aware and thus will only be able to join the untagged network (if there is one on the trunk) since it is not possible to make access ports per the above point.
Only VLAN aware devices would be able to join a tagged network. This is relatively easy on some operating systems (such as Mac OS) but may be considerably more difficult on Windows and some Linux flavors. In some cases with older devices, it's possible there won't be appropriate hardware support for VLANs.
So... for all these reasons, using unmanaged switches with VLANs is not recommended. And for the purposes of the OP's need, unless the cameras support VLANs (maybe, maybe not), a managed switch may be the only viable option.
the only issue I have seen is that in some rare cases non-vlan aware ethernet devices may ignore the 8021q tags and accept the tagged packets in their unfiltered state therefore destroying the purpose of having VLANs. A managed switch simply prevents that from happening. An unmanaged switch cannot prevent that from happening.
In my setup I have 2 x unmanaged switches connected to 2 x ports at the back of my openwrt router. One port is untagged and the other port carries all the tagged traffic i.e. a trunk port carrying all VLAN.x.y.z traffic. So one switch carries all untagged traffic and the other switch carries tagged traffic. It works perfectly and predictably no issues whatsoever and keeps VLAN security.