When I turn off "vlan-aware" on switch0, all the VLANs can see each other again. I can ping VLAN5 (guest) and VLAN10 (IoT) devices from VLAN1 (native/home). VLAN5 devices can't ping/access the other VLANs due to (I think) the guest control post-authorization restrictions on the UniFi AP (which is good). Also, the guest captive portal works as expected.
But like this, as you said since there are no firewall rules, VLAN10 can access devices on the primary (VLAN1) network, so it's not segregated.
So should I leave "vlan-aware" off and put in the firewall rules? I think the reason the VLAN5/VLAN10 traffic from the AP still works with "vlan-aware" off on the ER-X is because the AP is tagging the traffic on its end, but I may still be confused about how that works. And that also means I may not be able to accomplish what I want with eth2, separating that wired IoT device into VLAN10 with the other wireless traffic from eth4.
