[Solved] Different subnet for wired and wireless

Great

I saw that, but you hadn't mentioned it until about half way down this thread... so I wasn't; sure if this was an option you had enabled intentionally or accidentally.

Currently, your gast network is included in the lan firewall zone. Because the lan zone (currently) has forward=accept, it means that the gast network and the lan can communicate with each other. Further, it has input=accept, which means that the gast network can connect to the router ssh, web, and any other services are running on the device.

Typically, a guest/untrusted network is associated with a separate zone that does not allow inter-VLAN routing with the trusted network(s), and typically blocks all connections to the router except those that are necessary (DHCP and often DNS, in a standard config).

You don't need to fix this, but the gast firewall zone doesn't do anything at all (because it doesn't have a network attached) and, as just described, the gast network is not currently treated with any additional restrictions... fixing this (or not) depends on your goals.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.