Voip Segreation: Vlan or Subnet.....soft phones?

Hi and thanks in advance.

I’m working on a deployment plan for a small business. Trying to replace a bullet proof AC Partner Rev6. I tried to talk them out of it LOL.

My server is built and testing well. I have a homelab going with one hard phone and softphones setup, making calls etc. My SIP provider is Twilio. ISPs are Cox and Centurylink. POTs also.
I’ve done alot of searching but network segregation tactics are stumping me, a few hints would really help.

VOIP and Data VLans or subnets?..the latter seem more simple, and higher performance.

Vlan or Subnet, I’ll have some AC/DC machines. These are iMac workstations which browse extensively. Hence I want them seperate. But…I’d also like softphones on them!

Network Hardware: Mikrotik 3011 I’ve been studying for days in the lab, and two UniFi POE switches, a 24 and 48, which apparently will do Vlan tagging if I need it.

Besides picking one or the other, Vlan or Subnet, in a single endpoint (iMac w/softphone), how can I keep surfing on the data side, yet let a soft phone on the same machine reach over to my asterisk? Or frankly, vice versa: I don’t want the data side attacked from the voip side either.

I know localnet will take multiple subnets. So I could just put both sides in that setting, which will let the phones register, I read. But would that breach my segregation in general?

Perhaps some filters either in asterisk or my firewall can let sip and it’s rtp connection over but hold the rest on the other side. L2TP or IPsec would cross, but at what price?

all suggestions welcome, thank you.