I only pretend to be a networking guy for my church but think this may solve an issue. What exactly is a VLAN? I split our incoming network into a secure side and an open/guest side. The secure side is for church staff, printers, & a NAS. The guest side is for four open WAPs for anyone to use. I've had to pull separate wires from the central point to make it work and now am being asked for a secure connection at the end of the building where I already have a guest connection. Could a VLAN be configured that based on who or what device connected where it would be inside a secure side? This would save several hours of wire pulling and really simplify things. I basically don't want the NAS open to guest users.
I'm nowhere near an expert, so take my expertise for what it's worth.
A VLAN is simply a virtual LAN. From a practical standpoint, you can assign devices to different logical LANS that are part of the same physical network. For example, you may have VLAN10 which is 192.168.10.0/24 and VLAN20 which is 192.168.20.0/24. You can do routing between the VLANS or keep them separate. It's very common in an enterprise environment to use VLANS to segregate devices or users.
Will that solve your problem? Maybe. In normal use, your switch ports would be assigned to specific VLAN and would tag all packets coming though with the appropriate VLAN tag. This isn't a feature that most home switches have. Some home switches, like mine, will pass those packets while others will drop or ignore them.
I do know that most routers and even the Ubiquiti APs have a "guest" feature which I assume does a separate VLAN for guests behind the scenes, keeping their traffic separate from your secure VLAN.
I would go with a Ubiquiti solution where you deploy their APs around your church and have an Edgerouter Lite with a switch capable of passing the VLAN traffic. Their APs have the ability to run multiple SSIDs and even put certain SSIDs on different VLANS. You could have your NAS and secure clients on a VLAN that is firewalled from the VLAN with the guest users. Their APs hand off pretty smoothly between each other so that if one is out of range your client switches to another seamlessly.