Vlans are nothing but another network that shares a common switch. Don't over think them.
Take a switch, if you have a 24 port switch and are only using ten ports on it, but you need to add another network, instead of going out and buying another switch you can use a vlan to utilize the other ports on the switch. Vlans make one switch act as 2, or more, switches.
The way you would do this is by using a trunk port. Trunks carry multiple vlans. So on the pfSense you would add a vlan (say vlan10) with your LAN interface as parent. This makes the LAN interface a trunk with your LAN being untagged, and vlan10 being tagged. Untagged means any traffic that isn't tagged with a vlan id will use the untagged vlan, also know as pvid (port vlan ID).
So on your switch, whichever port is connected to the pfSense LAN needs to be a trunk also. In this example it would have the pvid untagged and 10 tagged.
That gets both LANS to your switch, to access vlan10 you would need to untag vlan 10 on any ports you need it on. You now have 2 switches by using one. Make sense?
Keep in mind, a tagged port needs to be plugged into a tagged port. So if you tag vlan10 on port 13 and plug a pc into it, it won't use vlan13 unless you tag 10 on the PC's interface. That's why you would untag 10 on access ports used by vlan 10.
That would not block other devices since they are all on the same layer 2 segment. Layer 2 is switching, layer 3 is routing. When you access your cameras from your LAN, the traffic doesn't even go to your router. It hits a switchport and is sent to another switchport only.
Yes, that rule would block NTP. You would have to add a pass rule above that one with your cameras (add an alias with all camera IP's in it) as source, and LAN net as destination on port 123. But your best bet is to allow your NVR to port 123, then sync all cameras to the NVR.
Here's my Camera Rules attached.
The top one is my NVR time sync.
Next allows my CAMNet access to an offsite recorder over a vpn.
Next allows cameras to iSCSI storage device.
That's all. Nothing else needed.
The bottom 2 are to allow the NVR and recorder access to the internet to do updates. I leave them disabled until needed.