So I have main router offer WDS AP for guest Wi-Fi on 2.4 and offer separate WDS AP for main Wi-Fi on 5. This trick seemed to avoid a great deal of extra complication associated with offering out Wi-Fi for these isolated networks.
Namely the latter trick avoids this nightmare:
The extra RT3200's connect to the main router as WDS clients for both guest Wi-Fi on 2.4 and also the main Wi-Fi on 5 and then also offer out AP's for guest Wi-Fi and main Wi-Fi.
I believe for all of this to work the 2.4 and 5 radios on all 3x RT3200's have to be on same channel. I may be mistaken and if so I'd love to know in case I can improve my setup.
Yikes. So what should we switch to if we want to keep the benefits of 802.11r roaming but avoid the security issue? The options I am offered via OpenErt are a bit mind boggling:
WPA3 and WPA2-EAP are both fine. I assume mesh as well. Only WPA2-EAP will give you wide compatibility though at the cost of harder to configure. I personally decided to live without fast transition as it is not really a big concern for my network.