Resolved! ACL confusion
I have a /23 subnet that I use for guest network access. I created an ACL to allow DNS to the DNS server and 80 and 443 to the Unifi controller for the captive portal. This is the ACL I put in: ip access-list extended GUEST_WIFIpermit tcp host 17...