I have a full Omada network with an ER605 gateway, TL-SG2008 and TL-SG2008P switches, some EAP650 APs, and an EAP225-outdoor (soon to be replaced with the EAP650-outdoor).  My controller is running in Docker on a Synology NAS.

Generally speaking, I want to keep my network relatively simple.  Everything is currently running on default VLAN 1 and I generally want to keep it that way.  What I really want to try to do is secure the switch port that the outdoor AP is connected to such that if someone were to disconnect the AP and plug in a PC, they couldn't get on the main network.  Essentially, I'd like to keep using VLAN 1 for clients connecting to the outdoor AP but have the physical connection be protected such that if you plugged a laptop to it, it would NOT land on VLAN 1.  I DO NOT want to have to put my controller (in Docker on my NAS) on a VLAN other than VLAN 1.

Is this possible?  I've read over the guide about configuring a management VLAN but it's rather unclear what exactly that does or does not do and it sounds as though the controller would have to be on that VLAN which isn't going to work for me.