pfsense firewall with 2 networks each with their own APs. One network wifi works fine, the other does not. Hardline for both work fine

Question

Apologies if this sort of question has been answered before. Saw lots of great stuff on SU, but not my scenario.

Setup

I have a pfSense firewall running 2 DHCP servers, each assigned to a different network port on the firewall.
The first is for my general home network and runs from the firewall (1st lan port with 10.x addresses) to a switch and 3 APs. This first network is running fine and as expected.

The second network runs from the firewall (2nd lan port with 172.x addresses) to an Asus router repurposed as an AP. This Asus has a separate SSID and is used only for my home security system and other IOT devices. The Asus AP has my home security system (Ring) base station connected by ethernet due issues we've had with its Wi-Fi. The Ring base station pulls the expected 172.x ip and is able to connect to the Internet just fine. My other security devices that connect to the base station are also online fine.

APs and their SSIDs for network 1 are configured through a hardware controller, also connected to the switch. The Asus AP and its SSID for network 2 are configured through the Asus' 172.x web gui (static ip at the moment). IPs for both networks are assigned by the firewall router via the 2 DHCP servers.

Problem: Devices that connect wirelessly to the Asus pull a 172.x ip but cannot get online, while devices physically connected to the Asus can get online fine.

Troubleshooting so far

1. Verified connecting to the right SSID and password (WPA2).
2. Hard reset on the Asus AP, with new SSID setup.
3. Verified a laptop hardlined to the Asus can get online, but cannot when switching over to Wi-Fi.
4. Verified no rules on the firewall that would prevent online access, but reset the network 2 configuration and restarted the DHCP server anyway.
5. Verified the other APs on network work are not conflicting (channels, SSIDs, etc.)

Other considerations

• The Ring base station MUST be hardlined (long annoying story with Ring).
• Ring and the other IoT devices MUST stay on their own network, so I don't want to hardline the base station to the switch on network 1 (may explore VLANs and tagged ports on the switch another day).
• I know this setup is not ideal with potential signal efficiency loss running one AP mesh and a separate AP & SSID, but prefer it this way for now.

Thoughts and advice are appreciated! Thanks in advance!