VLANs are L2, what you are doing is L3. You need both, or, enough interfaces and hardware to just have multiple physical networks.
VLANs only exist so you can have 1 physical network but multiple logical (virtual) networks. Those networks aren't IP-networks, just Ethernet networks.
The ONT doesn't need to know anything about your internal network, you're probably getting a single IPv4 address and maybe an IPv6 prefix and that's it. Most likely you're setting up a PPPoE connection or a DHCP client on a specific VLAN and that's it on the WAN side. None of that translates or relates to your internal networks.
Code:
│
│
│
│ Stuff you can control
Stuff you cannot control │
(in residential cases) │
│
│
┌────────────────────┐ │ ┌─────────────────┐
│ │ │ │ │
│ The Internet │ │ Ethernet │ Your network(s) │
│ ◄────────────┼──────────────► │
│ │ │ │ │
└────────────────────┘ │ └─────────────────┘
│
│
│
│
On the internal side you might have multiple interfaces or VLANs, and you'd assign each a non-overlapping IPv4 range, generally in blocks that sit next to each other (often configured and known as subnets). You then run DNS and DHCP and NAT for those subnets, and use firewall rules to decide who gets to talk where.
If you don't have VLANs, it might look like this:
Code:
┌────────────────────────┐ ┌──────────────┐
Ethernet 1 │ │ │ │
┌─────────────────► Unmanaged switch ─┼──────────► Server │
│ │ │ │ │
│ └────────────────────────┘ └──────────────┘
│
Internet ┌──────────────────┴──┐
(WAN) │ │
──────────► Gateway / Router │ ┌────────────────────────┐
│ and Firewall │Ethernet 2 │ │ ┌─────────────┐
│ ├──────────────► Unmanaged Switch ├─────────► │
└──────────────┬──────┘ │ │ │ PC │
│ └────────────────────────┘ └─────────────┘
│
│
│ ┌────────────────────────┐
│ Ethernet 3 │ │ ┌──────────────────┐
└─────────────────────► Unmanaged Switch ├────────► │
│ │ │ Guests │
└────────────────────────┘ │ │
└──────────────────┘
Your router/gateway/firewall has multiple separate ethernet interfaces, and you configure each of them to be separate. On each of those you connect a network switch so you can connect more than 1 device to them. The network switches are simple switches that have no clue about the network (including no clue about VLANs or subnets or IP addresses). The problem here is that you need to buy a switch for every separate network. But it works and doesn't require you do know anything about configuring switches.
Adding VLANs, it will then look like this:
Code:
┌─────────────────┐ ┌──────────────┐
│ │ │ │
│ VLAN10 ├────────────► Server │
│ │ │ │
│ │ └──────────────┘
│ Managed │
Internet ┌─────────────────────┐ │ Network │
(WAN) │ │ │ Switch │
──────────► Gateway / Router │ │ │
│ and Firewall │Ethernet 1 │ │ ┌─────────────┐
│ ├───────────────────► VLAN11 ├───────────► │
└─────────────────────┘VLAN 10, 11 and 12 │ │ │ PC │
│ │ └─────────────┘
│ │
│ │
│ │
│ │ ┌──────────────────┐
│ VLAN12 ├──────────► │
│ │ │ Guests │
│ │ │ │
│ │ └──────────────────┘
└─────────────────┘
Note that all of this happens on your side of the network, the ISP doesn't relate to any of this, they can't see it or interact with it. The switch connects to your router/gateway/firewall, and the connection at the firewall is setup to pretend there are 3 networks on that port. The switch does the same on its side, so now that single ethernet cable can transport 3 virtual cables.
Then, the devices you connect to the switch will access a different network based on how you setup the switch. So the top port, you might configure it to only access VLAN 10. The server doesn't need to know about it, it just plugs into the port. It doesn't need to know about it, because it only needs to access one network (VLAN number 10) so nothing fancy required.
A complete example with tables and everything was already posted a bunch of time on this forum, so you can re-use that if you need more details.