Problems setting up VLANs

I am a novice regarding VLANs and am having trouble setting them up on my (home) network.

I have the following configuration:

FWG <-> switch 1 <-> switch 2 <-> switch 3

                  /     \

     Switch 4      switch 5

So switch 1 is wired to everything apart from switch 3.

The FWG and switch 1 are together, where the broadband/ phone line come into the house. The other switches are in other rooms. There are ethernet cables installed when the house was built running from where the FWG/ switch 1 is to each of the other rooms apart from to switch 3. Switch 3 is in a detached garage, and I was able to run an ethernet cable from the room with switch 2 to it. The switches all have various devices connected by wired ethernet.

Switch 2 and switch 3 have Wireless Access Points connected by cable.

The switches are all Netgear managed switches. Switches 2 and 3 are GS316EP, the others GS116E/GS108E. The WAPs are Netgear WAX220s and can map SSIDs to VLANs. The switches and WAPs are all setup with fixed IP addresses (on the ‘main’ subnet) both on the devices themselves and in the Firewalla app.

Three of the FWG ports are in use, 1 to switch 1, 3 to a (fallback) 4g LTE modem, 4 to the wired broadband modem. So I could cable switch 2 to port 2 of the FWG if that would help, so switch 2 talks directly to the FWG rather than via switch 1.

I want to segment the LAN into three: IoT, IP cameras, and ‘main’. Each WAP has three SSIDs (so six SSID total), with the various wi-fi devices using the appropriate SSID, ready for the SSIDs to be mapped to VLANs. The garage SSIDs are only marginally ‘visible’ from the house and vice versa due to distance and walls in the way.

Traffic from the garage WAP has to travel through switch 3, switch 2 and switch 1 to reach the FWG.

I have set up the FWG with three LANs. VLAN networks for ‘IoT’ and ‘IP cameras’. I have tried setting LAN ‘main’ as a VLAN and as not to VLAN. I am using ‘Advanced 802.1Q’ VLANs on the switches. I have set up a rule in the Firewalla app so that my PC and phone can send flows to all LANs and VLANs.

I can configure the VLANs on switches 1, 4 and 5 and the devices connected by wired ethernet appear on the appropriate VLAN ok. However, when I try to configure VLANs on switch 2 things start to fall apart, such as switch 2 appears on the IoT VLAN rather than the ‘main’ VLAN, and the WAPs ‘disappear’ and I can’t log into them by their (fixed) IP addresses.

I have configured (say) switch 2 with its ports which connect to switch 1, switch 3 and its WAP all tagged with all three VLANs, on the assumption that VLAN flows need to go in both directions. Is that correct? I have tried leaving the PVID of the tagged ports as VLAN 1 (which I am not using) and changing them to the ID of the ‘main’ VLAN

My (novice) understanding of VLANs is that a flow from a wired IoT device on (say) switch 2 gets a VLAN ID from the PVID of the switch port it is plugged into, and gets sent to switch 1 via the port which is tagged for that VLAN (and which happens to be tagged for the other two VLANs). But what happens when the data reaches the next switch (switch 1 in this case)? Do data packets arriving at a tagged port keep or lose their VLAN ID? Does switch 1 send the data packet on the FWG with the original IoT VLAN ID? Or are ‘chains’ of switches unable to run VLANs because the VLAN ID is stripped from data arriving down trunks and so gets ‘marooned’ in the switch and dropped?

I have tried setting up the VLANs working away from the FWG - would it be better to start furthest away, ie the garage WAP, and work back towards the FWG?