After about 4 hours of messing around with interface settings and bridge vlan commands, I give up for now. I first tried the bridge commands listed in this thread: Lan ports aren't accessible for WiFi client for the first 250-330 seconds after connection, but that seems to put each lan port on its own VLAN id, and afterwards nothing could talk to each other.
Then I tried to get the guest network and VLAN tagging working. I want to configure one of my LAN ports to be a trunk to my other AP, sending my main LAN on vlan 1, and my guest LAN on vlan 2, both tagged. This was how I had TOS 3 configured, and it seemed pretty straightforward at the time. Now on TOS 5 I can’t figure out what combination of interface names and bridge settings would make this work. It also seems that on TOS 4/5 the guest interface (GUEST_TURRIS) is now also on vlan 1, the same as LAN? I’m guessing the only reason this isolates guest traffic is because they are not bridged together anywhere. If I want lan0 to have the (tagged) traffic from both networks, then I must have to bridge them at some level. Also, just changing the interfaces to use ‘lan0.1’ and ‘lan0.2’ didn’t seem to enable tagging. The only way I could get tagging to remotely work was when I had the LAN bridge set to use ‘lan0’ (not 'lan0.1) and ran ‘bridge add dev lan0 vid 1 pvid’, but then I couldn’t figure out how to get br-guest_turris to bridge lan0 on VLAN id 2. Has anyone been able to get this to work?