it’s simple…
add a new SSID into your wifi infrastructure, if it is good WIFI kit , it will allow you to assign a different vlan per SSID.
NEVER put a guest wifi on your corporate network subnet, even with VLANS.
I have seen masses of compromised mobile devices running probes against infrastructure, plus it bridges the service providers WAN to your local LAN around your firewalls & security.
PLEASE remember on a compromised device… they can easily bind other VLANS at the device end to probe Vlaned networks…
so basically give all your WIFI hardware kit a subnet NOT on your corporate network.(for management)
Set multiple SSID on your wifi kit with their own VLANS.
route each VLAN over the WIFI kits subnet
route each VLAN as you see fit ,
but ideally your guest NW should not be pulling info (DHCP/DNS) from your AD directly even over a vlan…, incase of zerodays against the DHCP & DNS infrastructure.
https://www.cvedetails.com/vulnerability-list/vendor_id-11749/product_id-21763/Pfsense-Pfsense.html
You could intercept it all at your switch before the FW & provide DHCP & DNS services & re-directors on the switch for that specific vlan, before it even hits your corporate stuff., then get it out of your network… directly to your firewall. where you would un-vlan it…
