Hi Marco,
Yes, that's the way. I would imagine vlan-12, where the wanos wan0 and the current firewall interface would be placed in. The wanos lan0 would then become a member of vlan-11.
Also, then if you ever wanted to bypass the wanos vm, the firewall port would be switched back to vlan-11.