This is a common request and fairly straight forward to implement.
1- Buy managed switch and create 3 VLANs one for the private network (wireless) , and one for IoT device and one as managment VLAN. And each one will have separate subnet.
There are two questions here:
Will it be a Layer 2 or Layer 3 switch?
If it's a L3 switch, do you want to lean towards performance or security? Because each option will change the design.
Personally, I always lean towards performance, but my concerns and priorities may be different than yours.
3- Deploy open VPN with PKI and allow redirect traffic only, No access to my internal network.
This is easy to do. It's as simple as a checkbox on the OpenVPN config and a firewall rule.
4- Implement AV , snort and web-filter on Pfsense as I use AV and web-filter now on my Asus router.
You can install Snort or Suricata for IDS/IPS, but the only AV and web-filtering options on PFsense require you to install the Squid package. Personally, instead of trying to leverage PFsense packages that may give you semi-effective, UTM-like features, I'd recommend actually implementing a UTM product. For example, I have Untangle running in bridge mode inside of a VM which sits between PFsense and my core switch providing AV, web filtering, application control, reporting, etc.