2 SSID - 1 VPN and 1 ISP

[jazzy_jeff_81]

So I am trying to achieve the ability to have 1 SSID for a VPN and 1 SSID for Internet using just my ISP.
One of the SSID's will be from the Guest network on the 5Ghz band. wl1.1.

I feel like I have tried every script without success and I cannot understand why,or what I am doing wrong.
Here is the last script I tried from the user saffron at this URL:
http://forums.smallnetbuilder.com/showthread.php?t=9839&page=3

wan-start (make sure it's executable- chmod 755 wan-start)

#!/bin/sh

# guest wireless wl1.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl1.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl1.1,192.168.2.2,192.168.2.254,255.255.255.0,21600s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl1.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl1.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is in built.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE


#optional. block all ports on vpn except: dns(53),http(80),https(443)
iptables -I FORWARD -i wl1.1 -s 192.168.2.0/24 -o tun11 -p tcp -m multiport ! --port 53,80,443 -j DROP
iptables -I FORWARD -i wl1.1 -s 192.168.2.0/24 -o tun11 -p udp -m multiport ! --port 53,443 -j DROP

vpn-route-up.sh (make sure it's executable- chmod 755 vpn-route-up.sh)

#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-up.sh


# clear tun11 (client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache


# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11


# not strictly necessary
ip route flush cache

#optional. force vpn to default to google dns
#DNS_SERVER="8.8.8.8 8.8.4.4"
#for ip in $DNS_SERVER
#do
#iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#done

exit 0

I have also tried the scripts at this URL from Wizwin:
http://forums.smallnetbuilder.com/showthread.php?t=9311&page=2

I have tried setting this in the dnsmasq.conf.add file:
interface=wl1.1
dhcp-range=wl1.1,192.168.2.2,192.168.2.254,255.255.255.0,21600s
dhcp-option=wl1.1,3,192.168.2.1


I make sure i set the file properties to chmod 0755. I have the custom configs box checked in the gui, I have jffs enabled, I have formatted the jffs, I reboot between changes. i have set openvpn to "Start with wan", I have the redirect internet set to no, which I think is the same as the route-nopull. I'd really like some guidance as to what I am doing wrong because I keep reading how it's worked for others, but I am not getting it work.

I think part of the issue is I am not getting the IP that I hope from a different scope. In the GUI I set the DHCP scope to 192.168.1.100 - 192.168.1.199, and in the dnsmasq.conf.add file I set another scope on the wl1.1 interface to 192.168.2.2 - 192.168.2.254. I always get IP's from the scope I have set in the GUI and not the second scope. Maybe this doesn't matter, but I think it does.
I have and Asus RT-AC87R with firmware 378.50.

Thanks for any help.