Happy to share details. Bear in mind that while my setup works for me, it may not be the best for anyone else reading this. The main goal of this setup though is to keep guest traffic completely isolated from the rest of the network. Not only for security, but we're an academic institution and aren't allowed to let Joe Public use our Janet connection (if you're not based in the UK and don't know what Janet is, details are here:
https://en.wikipedia.org/wiki/JANET - this part isn't important though). Point is we need to provide wi-fi to visitors, but not on our connection.
We have a second Internet connection dedicated solely to public access, as is fairly common nowadays, using a standard business ADSL connection. This is connected to a separate firewall which handles DHCP, content filtering, etc... and is isolated to the guest VLAN. When a visitor connects to our guest network, the AP tags the traffic with the VLAN ID and the switches are configured to only allow this traffic across certain ports. This allows it to reach the DHCP server on the firewall, which gives the client an IP address on the ADSL network and isolates it from everything else. We use HP switches, although there's nothing HP specific here. Anything that can handle VLAN tagging is fine. It also makes things easier when setting up extra APs, as all that needs done is to connect a PoE cable and allow the guest VLAN on the switch port.
This has worked perfectly for quite some time, but the only issue I've had recently (see my other posts for info) is that when trying to use a separate authentication portal (PurplePortal in this case), the clients are bounced back to the ZoneDirector to complete authentication. Unfortunately they can't see it, as they're now on an external network. For standard guest access though, it works perfectly!
That may or may not make sense, as I probably glossed over a few details. Happy to clarify anything if it helps though!