By no means am I a networking professional, so apologies in advance if I improperly utilize terminology.
I have a Procurve 1800 (predecessor to the 1810) with three VLANs configured, running to my pfsense box that handles inter-VLAN communication. Our place is wired for ethernet in each room, with the network core in a closet.
Assume the following:
VLAN 10 = primary LAN
VLAN 20 = guest LAN
VLAN 30 = VOIP and WAP management
On the Procurve, the first port is a trunk that goes to a single port on my pfsense box that is configured with three virtual interfaces, one for each VLAN. This port is also configured to access the WAN, which is on a separate physical port on the pfsense box that is connected to the ethernet interface on our ONT (FiOS).
On the pfsense box, I set up firewall rules to control traffic between VLANs, on said virtual interfaces linked to a single physical interface. Most of our devices are on VLAN 10, for personal/internal use. But, I have a SIP phone and adapter that are on VLAN 30. I want to be able to manage devices on VLAN 30 from any internal computer, all of which are on VLAN 10. The pfsense box firewall rules I set allow me to do this.
VLAN 20 is not a VLAN where I need to manage any devices-- it is solely for guest users, and I assign guest SSIDs from my two WAPs to this VLAN. Therefore, I created firewall rules to prevent devices on VLAN 20 from accessing any other VLAN-- they only have access to the internet (WAN).
My pfsense box handles DHCP via a service that runs on the virtual LAN interfaces, such that devices on VLAN 10 are handed IP address that look like xxx.xxx.x10.xxx, VLAN 20 = xxx.xxx.x20.xxx, and VLAN 30 = xxx.xxx.x30.xxx. Or, I can assign a static IP outside of the DHCP range I configured.
In this manner, not only can I manage VLAN 30 devices from any device on our primary internal network (VLAN 10), I can also hook up a new WAP (that supports VLANS) to a VLAN 30 tagged port on the Procurve, log into it from a computer on VLAN 10, and configure two SSIDs (for example), one on VLAN 10 for internal use, and another on VLAN 20 for guest use.
After doing this, and setting independent passwords, any device that has credentials to log into the SSID assigned to VLAN 10 can access all internal resources on VLAN 10 (printers, servers, etc). And, any device that has credentials to log into the SSID assigned to VLAN 20 can only access the WAN (internet).
Without the pfsense box managing dynamic addressing and controlling (enabling and blocking) access to devices across VLANs, I have no idea how the network would be essentially plug-and-play after the initial setup (setup includes extensive documentation and labeling so I know what is what in the core network rack).