Thanks! I did try doing it that way yesterday. When i try connecting to the guest it will eventually time out just give me a 169.254.x.x IP.

Do you have trunk ports between the firewall and the switches and to the AP?

Are you sure there is a dhcp scope for this subnet?

My AP's to the switch are set as trunk ports. My port from switch to firewall is Access. I did submit a ticket to my ISP to double check the firewall is correct.

That sounds like the problem. A access port transport only 1 vlan(native). If you want to use more vlans from the firewall you should have trunk ports transporting those vlans

I really appreciate the help on this! So would my native vlan need to be 35 and allowed just need to be 1007??

Almost had it. I was able to get the correct IP address but I had no internet. I got no internet on both my secure or guest ssid. Could the trunk port for the AP cause issues? They are not set for vlan 35

That looks fine. Maybe vlan 35 is also tagged and native should be 1 on the uplink?, but your previous config shows access port vlan 35, thats confusing.

What management IP/subnet does you AP have?

VLAN 1 is for my wired devices. My AP's are pulling their IP from the wired DHCP pool.

0/1 10.236.68.1/22 Data

0/3 10.236.236.1/22 Internal Wireless VLAN 35 Tagged

0/3.1007 10.236.94.0/23 Guest Wireless VLAN 1007 Tagged

0/4 10.236.5.1/24 VOIP

0/5 10.236.81.1/24 DMZ (Not being used yet)

0/6 10.236.32.1/24 Bell & Intercom

0/7 Uplink

I think a good test might be to configure a port in access mode on each VLAN and test the connection with a laptop to validate that the connection to each VLAN is working as expected.