MikroTik

I have a router/switch/gateway and a regular ‘dumb’ switch.

I’ll use VLANs.

Most devices will be connected to the router. One (occasionally three) devices will be connected to the switch.

Will VLAN also work for device connected to that regular switch? If not, what do I need?

Thanks for explanation.

If the regular switch doesn't support VLANs, it might be easier to not use VLANs at all.
Or simply get a managed switch that do support VLANs.

Yes, it should in the sense that any device attached to the unmanaged switch will reach the router.
However, are any of the devices attached to the unmanaged switch able to VLAN tag their output?
I suspect not, so then you run into an issue, there is no way to parse device traffic to a specific vlan and the traffic will go to the router as normal lan traffic based on what ethernet port on the Router is attached to the unmanaged switch. If you didnt want those 3 devices on normal LAN traffic you could assign another LAN, called DMZ and have them on that LAN and then use firewall rules approp;riately (just make sure they are not on the same bridge or not the bridge of the regular LAN). You could assign ONLY ONE VLAN to the ethernet port going to the switch and then accept untagged packets from the devices (all traffic coming from the unmanaged switch) and thus they would be on a single VLAN.

Not much more to do though until you provide better requirements of what you are trying to accomplish in words without speaking to design or solution space.

Unmanaged switch generally does not support VLAN. A managed switch can do that.

the "support VLAN" statement is ambiguous.
- Does "support" mean it must do VLAN filtering on ports?
- Does "support" mean it pass VLAN-tagged packets? (i.e. it does not drop 0x8100 ethertype frames, it does not drop packets due to size being larger than MTU)
- Is there some different definition?

My personal experience shows that most unmanaged switches pass VLAN-tagged packets without issue. Obviously, you can't configure it so every single port acts as "trunk". (therefore no VLAN filtering, no edge ports which strips/injects VLAN tags etc... - what comes in, that comes out. Exactly as it is.)
In some specific cases, you may encounter situation when switch drops VLAN-tagged packets. That is usually caused by extra overhead which comes with VLAN-tag (and therefore packet getting bigger than supported MTU, thus forcing switch to drop the frame)

I have a router/switch/gateway and a regular ‘dumb’ switch.

I’ll use VLANs.

Most devices will be connected to the router. One (occasionally three) devices will be connected to the switch.

Will VLAN also work for device connected to that regular switch? If not, what do I need?

Thanks for explanation.

Non-managed switches don't have a way to define or manage VLANs nor do they support VLAN frame tagging for trunk support. You can try to link unmanaged one with a managed one and configure VLAN.

@BostjanC
What type of switch do you have? Brand/Model

As other here writes, tagged packed may pass directly trough it. Going in on port, out another port.
As if all ports are trunked. And if you have one VLAN (typical VLAN 1) untagged, it will akt as an hybrid trunk switch.
Vlan1 goes untagged to all port, Tagged packets goes to all port.

My guess is that dumb switch might work in VLAN-infested network ... with (at least) two gotchas:

1. it has to support using "small jumbo" frames.
   Traditional ethernet is using 1500 bytes as MTU and many (slightly) older switches support that and nothing more. VLAN adds a header with size of 8 bytes, so physical MTU has to be at least 1508 bytes. Before mentoned (slightly) older switches would truncate such frames. Most of newer dumb switches do support needed "small jumbo" frames so this is normally not an issue.
2. as already mentioned, dumb switch will not care about VLAN tags. Since normal L2 device which uses more than one VLAN uses same MAC address for all of them, dumb switch has no way of learning which frames should go to some destination and which not. Meaning that it can easily happen that device receives frame with wrong VLAN (probably due to somebody injecting frames with combination of dst-MAC and VLAN-id which is not allowed).
   If ingress filtering is enabled on all (important) devices, then this kind of "attack" should not be successful.

My first plan was to reuse my current dumb switch for 20€.

But now I'm considering 3 hap ac2 devices.
Do they all have to have the same VLAN settings or do I need to set the VLAN on just one hap ac2 device?

Good practice would be to set-up VLANs on all devices according to needs (you might end up with identical setups on all of them).