What are you installing custom firmware on? It sounds like a consumer wifi router, so something like DD-WRT? Yes, you can use the WAN port bridged to the others that way. I think some models have performance implications doing that. I doubt that it would be a big deal, but something to be aware of and perhaps look into.
How I use Wifi devices is to connect a single line to the LAN side, and set them to AP mode. They don't need to route anything. Most of the custom firmwares will support multiple SSIDs (wifi networks) on different VLANs. So you might have your normal wifi on VLAN1 connected to the internal network, and guest on VLAN2.
At that point, neither VLAN can see each other or the internet. I use a firewall box I built from older server parts to act as the internet gateway and route between VLANs. This keeps the wifi devices from having to have much configuration on them. Just the network IDs and passwords, and the VLANs. No NAT, DHCP, nothing. The routing, and other network configuration lives on the firewall. OpnSense in my case.
You can just have a different subnet on each SSID. That doesn't provide any real isolation though. An end device could just static assign an address in the other range and be able to hit the other network. VLANs prevent this sort of thing. Also, DHCP is broadcast based, so you can't have different DHCP subnets on the same network/VLAN.
How I use Wifi devices is to connect a single line to the LAN side, and set them to AP mode. They don't need to route anything. Most of the custom firmwares will support multiple SSIDs (wifi networks) on different VLANs. So you might have your normal wifi on VLAN1 connected to the internal network, and guest on VLAN2.
At that point, neither VLAN can see each other or the internet. I use a firewall box I built from older server parts to act as the internet gateway and route between VLANs. This keeps the wifi devices from having to have much configuration on them. Just the network IDs and passwords, and the VLANs. No NAT, DHCP, nothing. The routing, and other network configuration lives on the firewall. OpnSense in my case.
You can just have a different subnet on each SSID. That doesn't provide any real isolation though. An end device could just static assign an address in the other range and be able to hit the other network. VLANs prevent this sort of thing. Also, DHCP is broadcast based, so you can't have different DHCP subnets on the same network/VLAN.