Re: The best practice to separate guest network from internal LAN
So what do you need a zone for then? WiFi guest traffic already is seperated from (wired) LAN, that's it. I call that a DMZ...
The zone construct combines several ports (physical, WiFi, VLAN, VPN) into one logical interface, either to reduce the number of policies, to provide failover or to enable intra-zone traffic without policies ("security switch"). I can't really recognize any of this in your requirements.
If you plan to radio an internal SSID over the same AP then apply the 2-VLAN-recipe from @dmcquade. That's the best it can get.
Ede " Kernel panic: Aiee, killing interrupt handler!"