As requested I will post screenshots, but I think this is still a WIP as some of these rules are set automatically internally, so I could cleanup, and I notice also that I have ALTQ queues defined when ALTQ is off now, but hopefully gives you an idea what I meant.
Managementports alias points to ports 80,443,22 to block ssh, and webui access to firewall.
guest_ntp_dns points to ports 53,123,853 to allow dns/ntp access on firewall.
The nolog rule near bottom is to disable logging for some extra packets that get blocked from the walled garden setup, and were been logged because I decided to log the blocked packets, so that was to disable logging for those packets.
Guest_ports is allowed ports on walled garden, its an expansive list as I include ports for some android and social media apps as well as email. Will attach pic for it also.
Also as has been pointed out, you need to have the ability to have an isolated WAP setup that uses the guest VLAN. Unless you ok with all wifi clients been on the main LAN.
alt text
alt text