How do I get 2 separate bridges for two separate VLANs?

[DontKnowTheBasics]

Basically, I have two VLANs in my home network (Internal-Server and Public-Server), and one of them (Public-Server) can't talk to any other VLANs. Now, I have set up Proxmox on my Intel NUC, and I want to have two VMs, one for my Public and one for my internal servers. Now my question is: how do I configure the networks to be as isolated as possible? Also, if I try to simply add a second bridge, I cannot configure a gateway. As far as I have read, that's because you can only have one per physical system, but how does it work? Can the one Public VM still talk with the Internal VLAN because it uses the same gateway?

I know this is probably a stupid question, but so far, I haven't found anything online.

Thank you for your help in advance.

 

[UdoB]

There is more than one approach to this one. (There are VLAN-aware bridges and the whole SDN thing.) I went the simpliest way possible: a single NIC is physically connected to a VLAN aware switch. Now I can create bridges per VLAN. The bridge itself - and the connected VMs - sees only "untagged" traffic. This excerpt of /etc/network/interfaces creates a bridge for VLAN #2 and VLAN #4:

iface enp3s0 inet manual

auto vmbr2
iface vmbr2 inet manual
        bridge-ports enp3s0.2
        bridge-stp off
        bridge-fd 0
#dmz

auto vmbr4
iface vmbr4 inet manual
        bridge-ports enp3s0.4
        bridge-stp off
        bridge-fd 0
#aux

Traffic from one bridge to the other is only possible by being routed through a router. A router connects different networks ;-)

The node itself has no IP address assigned, as can be seen above. The VMs are isolated from the host. Only VMs have IP addresses in this fragment of my topology. One of these VMs is a software router based on Debian. This one has a NIC connected to each bridge. Rules define which traffic is allowed. There are dozens of software routers out there...