I’m so close I can smell it 
I have wireless clients living in 3 ssid’s and they get their IP/dns/gw just fine from their respective dhcp ‘networks’.
They can ping devices in the LAN, which proves that intervlan routing works.
However none of them can ping the host of their dhcp server, which is weird because it gave them their ip stuff.
It is a hex-s running 6.45.5 that also routes to the internet for them - but no client can reach the internet itself, although the hex-s can.
The hex-s also runs capsman that provisions a hap ac2 and a outdoor wap ac. I think the capsman config is fine.
The intermediate netgear switches are .1q capable, I changed to pvid 5 on all untagged ports, 2 ssid are ‘trunked’ to the hex-s using tagged ports, one ssid using the untagged vlan 5.
Vlan filtering is enabled on the single bridge, and the bridge itself has pvid 5. The bridge is tagged for the tagged vlans and untagged for vlan 5 in the bridges vlan table.
The problem smells “firewall” but there is nothing funky there (other than dropping packets bound for google’s dns servers) and I didnt change anything from my previous config, which I am using to write to you now.
I want to do the legwork, but I’m out of ideas.
thx