I would like to isolate a device which is connected to the green network from the other devices. The device should only be allowed to communicate with another device in the green network and with the Internet. Communication with all other devices is not permitted.
Do I need a VLAN for the solution?
What does the IPFire setup look like?
All depends from the Router behind the IPFire.
IPFire does not care because it sees only the one Router in green network.
And it depends on the physical connections. An ethernet network can communicate without the gateway.
It sounds like this can also be done by configuring the software firewall on Device-1.
I’m sorry I had a mistake in the graphic which probably caused confusion! 
I have replaced the graphic!
If this is the whole setup it looks similar to mine. Your isolated device would be green ipfire and the switch blue eth. Green default config allowes to connect to all other devices but the blue ones are restricted.
The blue network is used for WiFi and orange for my server.
I think I need to configure VLAN on the switch.
But I don’t know how to set it up or whether it’s even possible.
Sounds like a set of firewall rules. Which you wouldn’t use a VLAN for that.
VLANS are for routing zones and not firewall rules.
Device 1 should not be into Green nor Blue zone.
IVMHO Orange (and appropriated rules) seems the better one; however… not knowing what Devices are… it’s just an educated and limited guess.
Firewall rules are active for connections flowing through IPFire, only.
Two devices connected to the same ethernet switch can communicate directly.
With VLANs on a managed switch it may be possible to separate two trunks.
If I set up two VLANs in the switch.
How should I set up IPFire so that both VLANs have a connection to the Internet?
Do you know a good description?
Setting vLANs is a way to realize the same result with less network ports and network cables.
However is the “second” step, the first one is design a network solution that delivers the results you’re asking for.
Placing device 1 in the green subnet won’t allow you to pursuit your goals.
VLANS is your solution. Pike is right. The graphic is correct, Green network between IPFire and the switch, then you need a smart switch that can configure VLANS on it. Most smart switches have this ability built in, but the instructions to set this up vary slightly by vendor. Look up the documentation for your switch to get it’s capabilities and setting up VLAN communications.
