The secure, upscale network in the single-family house

Okay, then briefly: Yes, you can. It basically always works. It "works well" if your device supports 802.1x. It "works less well" if it only has one MAC address. In general, I would realistically consider such attack scenarios. With VLANs, you at least isolate the outdoor ports from the rest of the network. Then there are still certain routes, e.g., to the internet. And then? Your visitor can surf. But to go to such lengths when every other WLAN in the neighborhood is poorly secured? I would be more bothered that someone takes the access point or the Gardena gateway on that occasion.

That is all correct and clear. I was only concerned with whether I can still solve it since I do not know any way. I was not concerned with the probabilities of attack scenarios, but rather with feasibility. I conclude that it is apparently not practically feasible.

Have you checked out the Fing-Box? … At least with that, you have an overview when a new device is plugged in

To notice whether a new device has registered, no additional box is needed. That is just a bottleneck in the system anyway…

What can work depending on the switch, firewall, and APs used:
e.g. FortiGate Firewall with FortiAP outside:
- Disable DHCP on the ports for the access points, set up a separate VLAN (outside).
- Set up a 802.1x server and have the APs and clients authenticate through it.
- Enable DHCP on the access point for the clients and configure the FortiGate as gateway and DNS, of course setting the appropriate routes there.
This way, only a client with successful 802.1x authentication receives an IP from the access point; if the access point is gone, there is no DHCP on that port anymore, and an attacker would have to try the address range and know the VLAN and the 802.1x credentials. With an additional VPN you can further increase security.
On another port, you connect your Gardena Gateway, set up a MAB and an ACL, meaning even with MAC spoofing the attacker only gets through if they use the same source IP and destination IPs and ports as the Gardena Gateway. In other words, they can at most access the Gardena services.

This is how I would do it.

To revisit the topic…
Can someone recommend a router that can bring DHCP into the VLAN?
Additionally, currently a Fritz!Box handles the network access; if you combine that with a router, there would be double NAT. Is that really a problem if VPN etc. don’t matter? How does that look for VoIP?
I am also considering replacing my Windows 2016 Server, which runs 24/7 on a desktop PC, with a NAS. I am eyeing a Synology DS920+.
Can anyone assess whether this device is sufficient to replace a handful of Windows Server services (as VMs) and simultaneously handle Radius and DNS?

Addition: I have a legal Windows Server 2016 Datacenter license. That would of course cover all of this if I did everything in VMs. Such a server obviously costs.
Still an option?

Why don’t you put the Fritz!Box into bridge mode or replace it with a pure modem? Then you won’t have double NAT. DHCP in the VLAN can actually be handled by any router that supports VLANs. What do you want to run on the Synology? You should upgrade the RAM. Then Windows will run somewhat decently. But not for computationally intensive tasks. Radius and DNS can be neglected. Anyway, in my home network. There aren’t many devices, so it’s not a big load.