UPDATE:
In the end we couldn’t setup VLANs as the switches weren’t managed, nor were they supporting 802.1q standard which allows VLAN tagging. (We couldn’t do port based VLAN because of the physical infrastructure.)
Subnets aren’t very usefull as they don’t prvide any security…
So we stayed with Mac filtering on the LAN and some basic firewall rules, which would prevent dirty stuff even in case someone has managed to get access to the network.
Thanks so much for all your help!