VLANs are absolutely the key here. I run 4 SSIDs, each with its own VLAN. You haven’t mentioned what switch hardware you’re using, but I’m assuming it’s VLAN-capable.

The (high-level) way I’d approach this would be to first assign a VLAN for each purpose. In your case, sounds like three VLANs for the different WLAN classes (people; IoT; guest) and at least another for infrastructure (maybe two - I have my Proxmox VMs in their own VLAN, separate to physical infra).

VLANS

Sounds like 5 VLANs. For the purposes of this, I’ll assign them thusly:

1. vlan10: people, 192.168.10.0/24
2. vlan20: physical infrastructure, 192.168.20.0/24
3. vlan30: Proxmox/virtual infra, 192.168.30.0/24
4. vlan40: IoT, 192.168.40.0/24
5. vlan50: guest, 192.168.50.0/24

That’ll give you 254 usable IP addresses in each VLAN. I’m assuming that’ll be enough. ;)

SWITCH

On your switch, define a couple of trunk ports tagging appropriate VLANs for their purpose:

1. One for your Nighthawk, tagging VLANs 10, 20, 40 and 50 (don’t need 30 - Proxmox/VMs don’t use wireless)
2. One for your Proxmox LAN interface, tagging all VLANs (you ultimately want to route all traffic through OPNsense)

If you had additional wired access points for your wireless network, you’d create additional trunk ports for those per item 1. If you have additional Proxmox servers in your cluster, ditto for item 2 above.

WIRELESS

I’m not that familiar with OpenWRT, but I assume you can create some sort of rules that lands clients into VLANs of your choice, and tags the traffic that way. That how it is on my Aruba APs.

For example, anything connecting to the IoT SSID would be tagged with vlan40. Guest with vlan50, and so on.

PROXMOX

1. Create a Linux Bridge interface for the LAN interface, bridging the physical interface connected to SWITCH item 2, above
2. Create Linux VLAN interfaces on the bridge interface, for each VLAN (per my screenshot example)

You haven’t mentioned internet/WAN but, if you’re going to use OPNsense as your primary firewall/router in/out of your home network, you’d also create a Linux Bridge interface to the physical interface connecting your internet

** OPNSENSE**

This is the headfuck stage (at least, it was for me at first). Simply put, you need to attach the Proxmox interfaces to your OPNsense VM.

I’m not going to attempt to explain it in reduced, comment form - no way I could do it justice. This guide helped me immensely in getting mine working.

If you have any issues after attempting this, just sing out mate, and I’ll try and help out. Only ask is that we try and deal with it in comment form here where practical, when Googlers in the future land here in the Fediverse.