The First Wireless Card is assigned to my normal Network with wpa2-personal.
The second Wireless Card is used as open Network with no authentification.
I assigned a Max Bandwith with QoS but how can i put my second wireless into a vlan so users using it dont have Access to my actual Network.
I have something similar. Create a firewall forward rule. in Input, choose your open network interface (and VLAN if appropriate). In output, choose your WAN network (I assume you only want them to be able to get out to the internet). Check the ‘Not’ checkbox on the Output side.
Under ACTION, choose reject. I have with icmp host unreachable, but you can select whatever you want there, I think.
What this will do, is block any traffic coming in on the open WLAN and if it isn’t destined for the outside world (IE: the Internet), then it will be dropped.