m0n0wall Forum - VLANs- Advice

Hello everyone- I'm in the middle of setting up a guest wireless network in our church, and i'm hoping that someone more knowledgeable than I might be able to validate and/or point out a general flaw in my design (sorry I don't have more specific logs at the moment).

The issue I have that I believe is different from some of the others doing guest networks is that I already have multiple dd-wrt APs scattered about the church, all hard wired together, and clients can roam between them somewhat seamlessly. What i'd like to do is spawn a virtual wlan interface on each one of these for the guest network, and then communications back to the server room will occur on a vlan tagged port, essentially giving me two completely seperate networks on one physical network.
In the server room, a m0n0wall router will take the vlan tagged signals and do the following:

1) guest vlan (setup as LAN in m0n0wall): perform DHCP duties, and limit traffic from entering private LAN- allowing traffic to only go to internet.
2) private vlan (setup as OPT1 in m0n0wall): simply bridge with WAN - DHCP will be handled by existing Win2k3 server on the private LAN.

I attempted this earlier today,with the following result:
Guest WLAN
1) Connecting to guest network yielded a guest netowrk IP- so m0n0wall DHCP works
2) NSLOOKUP to internet works
3) Traffic does NOT pass to internet.

Private LAN
1) No DHCP
2) Internet works when I hard code all of the IP settings (in private LAN subnet)

I believe the VLAN tagging is working because I see traffic on the VLAN interfaces in m0n0wall.
I've attached a diagram of what i'm trying to do- i hope it makes sense! At this point i'm just looking to see if my general idea will even work, before I get into the nitty gritty with debugging. Thank you!