Can that be done without having to set a specific physical port on the router for that vlan?
The Edgerouter also has a built in switch, so VLAN's can be sent down multiple ports.
A quick messy guide to creating VLAN's on the Edgerouter and assigning them to the AP-Lite.
I have set up 2 VLAN's. One for my main home network (vlan id 99, IP range 192.168.99.1/24) and for my guest Wi-Fi (vlan id 10, IP range 192.168.10.1/24).
From the main Dashboard click Add Interface > VLAN. Here's my example -
https://i.imgur.com/oY6dueq.pngOnce you've created your vlan's, then locate the switch0 interface click Actions > Config. Click the VLAN tab and enable VLAN Aware. See my example -
https://i.imgur.com/5qL5KKM.png Disable VLAN on eth0 which is what your modem is connected to. My AP-Lite is connected to eth2. "pvid" traffic is untagged vlan traffic, "vid" is tagged vlan traffic. This is important for the setup in the in the Unifi controller later.
You'll need to add new entries in the DHCP server and DNS tabs. See my examples -
https://i.imgur.com/S2UXYTc.png
https://i.imgur.com/xg7PR4a.pngAs posted previously, this guide takes you through creating the firewall rules to block users on the guest Wi-Fi (in my case VLAN ID 10), from accessing other VLAN's -
https://help.ubnt.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch0-with-Inter-VLAN-Firewall-LimitingMy main firewall rules page once done -
https://i.imgur.com/r1500I6.pngNow in the Unifi controller go to Settings > Wireless Networks and edit the SSID that you wish to use for guest Wi-Fi. Expand Advanced Options, check "Use VLAN" and enter the VLAN ID for your guest Wi-Fi network, in my case 10.