Plug everything into a managed/layer2 switch, if you don't have one already, set IPs for everything and point to the appropriate ones, and you're good to go. https://www.amazon.com/Ethernet-Unmanaged-Shielded-Replacement-TL-SG108E/dp/B00K4DS5KU/
VLANs you will need either a managed switch, or devices with drivers that are configurable to speak VLAN tagging (e.g. some WiFi access points support this per-SSID).
I've started with a flat (untagged) network without VLANs for 99% of stuff and then set up a VLAN2 for guest devices on the same interface, and set my WiFi AP to use VLAN2 as the second SSID, they coexist on unmanaged switches just fine but most plug-in devices won't be able to join the VLAN on an unmanaged switch.
The best way is to get a managed switch unless you only care about the VLAN over WiFi. Doesn't have to be expensive, there are little 8-port $25-ish switches that support VLAN tagging.
I've got 2 of these I use with pfSense, bit of a learning curve but then I can split out my VLANs as needed.https://www.amazon.com/Ethernet-Unmanaged-Shielded-Replacement-TL-SG108E/dp/B00K4DS5KU
My current configuration I have 3 VLANs...one "untagged default" for trusted normal stuff, VLAN2 for guest/untrusted devices, VLAN3 for local-no-internet devices. This lets me use unmanaged switches for most things and managed switches where I need to break out a physical port on a VLAN.
Don’t the APs come with PoE injectors? Cannot remember. If so, just buy the $26 TP Link managed switch from Amazon. here