I would set up Trusted, IOT and Guest VLANs. Put all PC’s, servers and NAS in it, all else goes to IOT (Phones, Tablets, streamers, cameras and NVR, etc). Create firewall rules to allow internet for all and let anything from the Trusted network to get to IOT and Guest, but block everything from IOT and Guest to Trusted (except for a couple exceptions). One exception is I don’t see a printer but if you had one I’d assign it a static in the Trusted and allow all VLANs to get to it’s IP. Another exception is I use PiHole (lives on Trusted) and I allow only port 53 (DNS) to those IPs, (I have 2 Piholes).
Your Unifi APs are VLAN aware but I have no idea on your router/switches (I assume at least the router is).
I’m pretty sure at least two of the routers are as well, maybe all of them.
I want to block the cameras from being accessed from the internet or accessing the internet. I want them to communicate with trusted (for configuration) and the NVR. And then I want the NVR to be able to access the internet
I would create another VLAN just for cameras with appropriate firewall rules. Allow Trusted into this “no-internet” VLAN but nothing to the internet. One way would be to figure out which ports the cameras use so you can add a firewall rule to allow communication to the NVR’s IP. Another way would be to set the NVR on a static IP in the IOT and allow all traffic to it from this camera VLAN, (this is probably the easiest but not the most secure).
As a side note, I try to set as many things that I can on a static IP, it enables the use of firewall rules, also helps with normal monitoring.
As another side note - The Unifi APs support up to 4 VLANs (1 per SSID) - they also support the use of a SSID with multiple passwords which will allow connection to a VLAN depending on which password is used. It’s a new feature and I haven’t used it, so idk how well it works or other issues.
Comes down to how you want people to access them. VLANs and Firewall rules are for restricting access. So that’s how you should approach this.
From what I can tell, you have switches with Layer 2 capability, which doesn’t help much… You’d want Layer 3 capability formost to try and seperate things in this network properly, and pass VLANs how you’d need for Firewall rules.
So how I would set them up? This is the definition of a mesh network, and not much can be segregated, due to the capability of your switches…