Thanks guys. As far as I know, the Ubiquiti Edgerouter is capable of a /16 subnet, so that might be the easiest solution. I believe the router and APs are also capable of VLANs, but I know the switches are not.

I guess I need to look into how the guest network is created on those Unifi APs. I was under the impression that it did all the client isolation for me already, giving out web access only, and I wouldn't have to tell it to block a certain subnet.

So when it's a /16 subnet, a device at 192.168.1.64 could talk to another device at 192.168.3.37 with no problems? That seems like the way to go to solve the DHCP issue, but it seems I have a little more work to do on security.

For sure, a VLAN would be the way to go, if necessary. Wouldn't physically separate networks also require their own APs, effectively doubling the number of APs they have now? I need staff and guest wifi in all areas. That's why a VLAN seems the better way to go, but I'm not sure if I can create a VLAN for the guest network only, or if it applies to the whole AP...

Looks like I have a lot of research to do. Thanks so much for the lessons you've given me so far!