Virtual AP in bridge, no internet

Hello, a 951G-2HnD with 6.41 here. I cannot work out the following:

I have wlan1 bridged with eth2-4, eth1 is the internet.
I created a virtual AP wlan2 (mode: ap bridge, master: wlan1) to create a guest wifi. Configured a network, an IP for the wlan2 interface, a DHCP server and pool.
NAT is configured for internet access > out: eth1 action: masquerade
Routes are in place and networks are reported reachable.

If I put wlan2 in the existing bridge, it works fine.
If I keep wlan2 out of the bridge on its own, it works fine.

But if I put wlan2 in its own bridge (for example bridge-guest, to bridge it with eth5 to accomodate wired guests as well), bind the IP to bridge-guest as well as bind the DHCP server to bridge-guest, the network works, DHCP works, but there is no internet for clients on wlan2.

I don’t understand why the dedicated bridge approach is not working. Am I missing something? Thanks in advance for the advice.

Strange, I thought I’d give bridge-guest another go and it works now:

• re-enabled bridge-guest
• re-enabled bridge port wlan2 assignment on bridge-guest
• reassigned IP address from wlan2 to bridge-guest
• changed DHCP server binding from wlan2 to bridge-guest
• changed all wlan2 interface entries to bridge-guest in firewall rules

Did not reboot, but now it works. I practically only reverted the workaround of keeping the wlan2 interface separate