Using VLAN to separate traffic from different WiFi networks?

I'm hoping someone has an idea of how to help me understand/implement this. We have a good number of guests in and out of our office. We want them to be able to connect to our WiFi in the building and get to the Internet, but:

• We don't want them to be "on the same network" as our employee servers where they could get into our staff drives or communicate directly with any of our machines, and

• We don't want connections coming in from the guest WiFi to get DPI-SSL through our firewall, because if you don't have a special certificate installed on your machine, you're not able to get to any secure websites. This is fine for our machines because we push the certificate out, but for guests it's a pain to download and install the certificate every time, and often they're not really OK with us installing stuff on their personal computers to begin with.

My boss has this idea that we can use VLANs and tagging to set it up so that guests get DHCP from the wifi routers and are placed on a separate VLAN with a different IP range, and we can then apply different rules to that range using the firewall. The problem is, there are only 3 of us in the department (including boss) and none of us has any experience with VLAN and we're collectively banging our heads against the wall trying to get our minds around this problem.

In an ideal world, this is how the setup would function:

1. The (Aruba) wifi access points have 2 networks broadcasting: Internal and Guest. When you connect to Guest, you get DHCP and it assigns you an IP in a range that's different from the one we use internally.

2. The Aruba is configured to add VLAN tags to traffic packets on both networks. For example, let's say it tags traffic on the Internal wifi as 10 and the Guest wifi as 20.

3. The packets are passed on to a (Netgear GS748T) smart switch, which is configured to separate the traffic onto the 2 VLANs and then pass the packets on to the firewall with the tags left intact.

4. The firewall (SonicWall NSA 2650) is configured to apply different rules to packets with different VLAN tags. It receives the tagged packets and applies DPI-SSL to packets tagged 10/Internal and does not apply DPI-SSL to packets tagged 20/Guest.

I haven't been able to find any documentation in the switch manual or online about how to potentially set this up, or whether it's even possible in that configuration. If there are any VLAN gurus around here who want to help me work through this problem, or can even send me some links to good resources to help me sink my teeth into VLAN as a topic, I'd be eternally grateful.