Thanks for the information. Clients on the new NAT-ed SSID/VLAN wiIl have private IPs and the controller will be their default gateway in this case. So my main goal is to get the traffic NAT-ed out the Guest Internet interface instead of (by default) the internal controller IP interface. I am not 100% sure the article addresses this?
I know about the Bonjour limitations, all usage will be containted on the new SSID/VLAN, so for this it won't be an issue. That is one of the reasons for setting up this new SSID so we can have easy Bonjour usage in a certain area for limited users, without affecting the rest of our production WiFi. The reason for the NAT is so a number of OSX servers can run with app download caching enabled.
Thanks,
Bryan