There are two ways of doing it and you managed to mix them both. They are:
- keep using cAP as simple switch/AP, but in this case you have to go with VLANs.
The benefit is that all L3 (IP, DHCP server, …) configuration remains to be on router (in a simple SOHO use case), also all guest traffic will be strictly separated from LAN traffic up to the main router. The drawback is that you have to introduce VLANs in much of your LAN infractructure (which might be over the top for some LAN admins). - set up cAP in a hybrid configuration where for LAN cAP remains configured as switch/AP, but for guest it’s router. This means that guest wireless interface (wifi2) is not part of bridge, it is rather used as stand-alone interface, it has all the L3 setup attached (IP address, DHCP server with address pool and what not). As to NAT you can either run it on cAP (for guests this means double NAT, but that usually isn’t a problem) or you can keep using main router NAT (in this case you have to add a static route on main router towards guest subnet using cAP as gateway)
The benefit is that you don’t have to change any of L2 configuration on the rest of your network. The (big) drawback is that guests will easily be able to access your LAN (and blocking that is one of main reasons to introduce guest network in the first place). The relatively complex L3 setup of cAP is another drawback of this way of doing it.
If you decide to look into VLAN stuff, here’s link to a very nice tutorial on VLANs in ROS, I believe your use case is covered as well.