If you are worried about the security of the brand name WiFi router, i would just try to set up pfsense on a stick(need only one NIC).
I am pretty sure i have seen an official guide for that.
So basically, you plug your switch (access port) to the isp router, and plug the pfsense box into another port(trunk port) on your switch.
Define a vlan for internet, and have that access port tagged with the same vlan.
Then turn off routing in your brand name router and use it as a pure access point. Now you can play with vlans as much as you want
I wouldn’t worry about the isp router, it has no access to your network, and most traffic going through it should be encrypted anyway.
And for your brand named access points, you can block them from accessing internet.
If you are worried about the security of the brand name WiFi router, i would just try to set up pfsense on a stick(need only one NIC). I am pretty sure i have seen an official guide for that.
So basically, you plug your switch (access port) to the isp router, and plug the pfsense box into another port(trunk port) on your switch. Define a vlan for internet, and have that access port tagged with the same vlan. Then turn off routing in your brand name router and use it as a pure access point. Now you can play with vlans as much as you want
I wouldn’t worry about the isp router, it has no access to your network, and most traffic going through it should be encrypted anyway. And for your brand named access points, you can block them from accessing internet.
Edit: The guide: Official documentation for “router on a stick”