Additional info. I think the issue may be some subtle difference in firmware 8.4 and 8.5 in how it handles firewall rules?
In firmware 8.4 I can have a firewall rule which blocks all access from the Guest VLAN to the Untagged LAN:
But in firmware 8.5, this causes devices to stop working.
However, if I add another rule in firmware 8.5 which allows the VLAN devices to access the router itself (which is the .1 address):
Then the devices function again.
I wonder if in firmware 8.5, the first firewall rule is blocking something important (such as DNS?) and by adding the Allow rule, it’s working around that bug?