@mk24, Thanks a million for your reply, much appreciated!
The comment about it being very similar to a guest network helped. I don't have it working yet, but I believe I'm a step further along:
I now have both networks successfully separated, and am able to pass the 5GHz network directly to WAN. However, I'm still stuck getting the 2.4GHz network to talk to the Wireguard connection (which seems to be set up properly, I get a handshake and everything): The 2.4GHz network is connected to its own interface with its own IP range and everything. I created two new firewall zone, one for the wireguard tunnel and one for the wifi interface. I set one to forward to the other - but I get nothing, I'm not able to access the internet.
The wiki has a quite nice guide for setting up a guest network. It's a little outdated but it's easy enough to figure out what has changed. The last two steps in that guide are setting up firewall traffic rules for dns and dhcp for the guest wifi. I'm not sure I'd need them for my setup, but I did try to set up what the guide said to see if that helps, but unfortunately it did not, still no vpn'ed internet access (or any internet access at all for that matter).
If I change the firewall settings so that the 2.4GHz network also forwards to WAN instead of the wireguard tunnel then I am able to access the internet. So the culprit must be some firewall setting, I guess.
Here are some of my configs, maybe you or someone else can spot something off:
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wg'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'wg'
list dhcp_option '6,10.64.0.1'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'wg'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
option name 'wgzone'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option name 'wg dhcp'
option target 'ACCEPT'
list proto 'udp'
option dest_port '67-68'
option src 'wgzone'
config rule
option dest_port '53'
option name 'wg dns'
option target 'ACCEPT'
option src 'wgzone'
config zone
option network 'mullvadzone mullvad'
option name 'mullvadzone'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'mullvadzone'
option src 'wgzone'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxx'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.99.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'wg'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.98.1'
option ip6assign '60'
list dns '10.64.0.1'
option type 'bridge'
config interface 'mullvad'
option proto 'wireguard'
list addresses 'xx.xx.xx.xx/32'
list addresses 'xxxx:xxxx:xxxx:xxxx::x:xxxx/128'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option force_link '1'
option listen_port '51820'
config wireguard_mullvad
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option description 'de4'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'xxx.mullvad.net'
option endpoint_port '51820'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'xxxxxxx'
option ssid 'xxxxxxx'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option network 'wg'
option key 'xxxxxxx'
option ssid 'xxxxxxx'
option encryption 'psk2'