Hi!
Basically you have understood the rule.
Given that your HP 2530 doesn't support IP Routing, VLANs are then transported (tagged) necessarily (at Layer 2) to your Firewall which is the device into which IP Routing between VLANs happens (protected by related ACL).
Apart from that non irrelevant detail, yes...you tag/untag a port with a particular VLAN (doing so you are just making that port tagged/untagged member of said VLAN).
So start on the HP 2530, create a VLAN id for your WiFi clients, say VLAN id "x" and then propagate that VLAN "x" over the uplink up to the access switch HP 2626: to do so generally - having more than one VLAN id to propagate - you need to tag the ports pair (on the uplinking switch, your 2626, and on the downlinking one, your 2530) to be both members of the same VLAN id(s).
In this case, as you wrote, you should tag port 26 (on 2626) and port 48 (on 2530) to be tagged member on same VLAN id "x" dedicated to your WiFi clients.
On the access side, where you will connect your WiFi AP, you should untag the related port with the same VLAN id "x".
But...there are cases where the AP is connected to port (since it is VLAN aware) where more VLANs are transported (rendering that port less an access port and more link a uplink port)...this really depends on your WiFi/AP configuration....generally IF the WIFI AP can be seen as a normal host (not always the case: think about when you have WiFi APs with their VLAN id dedicated to management and one or more VLAN id(s) one for each WiFi SSIDs used) you just need to untag the port on VLAN id "x".
Once you untag a port on a VLAN id "x" which is not the VLAN 1 (Default) automatically the port became no untagged on VLAN 1 (that's HP typical). If you instead tag a port into a new VLAN that port will remain untagged into the VLAN it has configured to be untagged member of (generally VLAN 1 but can be changed).
Once you have a port tagged into a particular VLAN (or more than one)....if you want...you can remove the untagged traffic (that generally happens on uplinks between switches or between a switch an a router/firewall)...that will leave the uplink carrying only tagged traffic on particular permitted VLAN ids.
Now you have to understand how to transport the VLAN dedicated to WiFi to your Firewall (since 2530 doesn't support IP Routing) where the connection to DHCP and other services (Internet access via NAT, I suppose) will happen.
Generally there are two ways...(a) transport tagged the VLAN id "x" (WiFi) and define a (logical) interface on the existing LAN interface with the same VLAN id "x" and properly IPv4 addressed (the Firewall is going to be the gateway for your WiFi Clients and, somewhere, a reacheable DHCP Server will release them required IP addresses) or (b) transport untagged (or tagged) said VLAN id "x" to another dedicated physical port (LAN side) on your Firewall separating the existing traffic from the WiFi one. This clearly will require another uplink port on your 2530 (as well as, as said, another LAN port on your Firewall)...not always a possible approach.
I'm not an HPE Employee
