Great!
I'll try to give a few quick pointers:
the "dotted notation" for VLANs takes the form of ethx.y
where x is the ethernet port (at the CPU, not necessarily the physical port on the device) and y is the VLAN ID.
A bridge is the software equivalent of an unmanned ethernet switch. It is required if you intend to connect any given network to more than one physical interface (ethernet + wifi, multiple wifi radios, etc.). So we created a bridge for the guest network that contained the proper VLAN assignment and then used that bridge as the device for the guest network.
This is a good one to read about -- but the super quick idea is that the entire guest network will 'hide'/'masquerade' behind the single IPv4 address that the router occupies on the upstream network. This is the way the every router is able to share a single IPv4 address from the ISP with an entire network behind the router (that's why it is enabled by default on the wan zone).
We needed to enable this on the lan zone since that is your upstream network (not the wan in your case). This can be avoided if your upstream router supports the creation of static routes.
Likewise, your guest network needs upstream connectivity to get internet access. Since you're using the lan interface as the upstream, you needed to add this forwarding rule from guest > lan.
Finally...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!