Separate networks on multiple routers configured as access points

Hi all,
I have 4 routers running the latest version of openwrt. They are all connected to a switch via a LAN port (additionally, I have several PC's and a SAN wired to the switch.) One router is configured to be the router for my home (providing DNS and DHCP), the other routers are set up as access points. All radios are turned on and the 5G radios use the same SSID so you can wander through the house without realizing you are changing Wi-Fi stations (the 2G radios use a different SSID that is shared by all of the routers, so I can move my IoT devices around the house without having to configure them). Of course, all devises (wired, 2G and 5G) are on the same network.

I want to set up two networks: the 5G and wired for phones, computers, and SAN; the 2G for IoT devices and guests. I think I know how to do it for the router from this article but how do I get this network through to my access points to be able to assign it to their 2G radios? I only have a single network cable running from the switch to each access point.

Can someone either point me to a solution (I can't believe that I am the only one who has had this requirement) or at least in the right direction?

see here for most of what you need... Network consolidation using VLAN over WLAN interfaces

Use VLANs on the wire from the router to the APs, one VLAN per network; also, search for "trunking".

I like to make a guest LAN at each AP for guests and IOTs. This then NATs back to the main router on the trusted LAN. Set up firewall rules to keep guests out of all private IPs such as those on the LAN. They only can use the Internet.

From the documentation.

As above. I have a similar set up with two all in one AP's (EA6350v3 and EA8500) and a security system wired to a main router (Edgerouter X). Security gets its own VLAN mapped only to the port the security system (Envisalink 4 interface) is plugged into on the main router. All VLANs are managed by the main router (DNS and DHCP). All VLANs are mapped to main router ports the AP's are plugged into. AP ports with IOT or security devices plugged into them (e.g., VOIP phone, IP camera's) only have the IOT or Security VLAN mapped to them, as applicable. A desktop PC is plugged into an AP port that has only the home LAN mapped to it; guest WIFI on the AP's (2G and 5G) is mapped to the single guest VLAN managed by the main router, IOT WIFI to the IOT VLAN, etc. One of these days I'm going to figure out how to have Wireguard cover only a VPN VLAN, so I can selectively map WIFI SSIDs and ports to the VPN protected VLAN network.