DD WRT dual BSSID wireless Access Point

So after weeks of reading DD-WRT forums about how to do this, I’m still struggling.

AIM: Setup a pfsense router with (at least) three subnets:
1. office LAN, wired
2. public wifi, controlled using pfsenses captive portal
3. inhouse wifi, routed to main LAN, WPA2, authorised users only

I’m pretty au faith with how all the above works; the challenge is using a cisco router (E1000), flashed with DD WRT firmware, as the dual BSSID wifi AP.
From reading this is possible and I’ve got the two wifi networks working, but only over the same subnet (bearable, but not as secure as separate subnets)

I’m complicating the matter by wanting to only run one network cable to the AP to send the traffic of both wifi subnets. This is possible using VLAN taggging/trunking, both at the pfsense end and via my 802.1q spec switch (a Dlink DGS-1224t)

Learning point/Question 1. On the switch VLAN-trunking is different than port trunking! The latter is link aggregation. Some people indicate I might be complicating things for myself if I have both tagged and untagged subnets down the same vlan-trunk; might be better to only send tagged traffic down same vlan-trunk. TRUE??

Learning point/Question 2. I’ve slowly learnt that the hardware of routers uses vlan tagging and bridges internally to make them work. Any tagging I do has to not clash with the internal workings of the router (aka my AP). I’m hoping that

Learning point/Question 3. Because I thought it’d be simpler (ha) to have the three subnets out of the pfsense router going to three ports in different vlans, I originally intended to have that traffic untagged, as per this: