Hi all!
I have a RB850gxs, configured ad capsmanager with dual wifi and a single wan access.
Wlan1 is private, configured in a bridge with ether1 on my private lan, dhcp relay on it, and it works.
Wlan2 is guest network. Clients only may go on internet.
I configured guest caps on a bridge, dhcp server on on it. Clients connects, but doesn’t works.
Gateway is 192.168.0.1
Bridge1 has ip 192.168.0.100 - relay from 192.168.0.1
Bridge2 has ip 172.16.100.1 dhcp server 172.16.100.100-172.16.100.250
I configure ether2 with ip 192.168.0.123, and guest clients must go on internet usin it.
It’s correct this scrip? It doesn’t work.. 
/ip firewall mangle
add chain=input in-interface=ether2 action=mark-connection
new-connection-mark=ether2_conn
add chain=output connection-mark=ether2_conn action=mark-routing
new-routing-mark=to_ether2
add chain=prerouting dst-address=192.168.0.0/24 action=accept
in-interface=OSPITI (it’s bridge2)
add chain=prerouting dst-address-type=!local in-interface=OSPITI
per-connection-classifier=both-addresses-and-ports:2/0
action=mark-connection new-connection-mark=ether2_conn passthrough=yes
add chain=prerouting connection-mark=ether2_conn in-interface=OSPITI
action=mark-routing new-routing-mark=to_ether2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=to_ether2
check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade