upgrade from RT-AX86U to GT-AX6000?

The only issue - Guest Network. If you can help with scripting that on AX86U - great.
If it's only one then OP can just enable it in the GUI of his primary mesh node then take the 192.168.101.X and/or 192.168.102.X and configure the gateway IP interface as a vlan to match in the Opnsense GUI. No scripting really needed unless he needs more than one GN on all mesh nodes. He would need to wire backhaul his satelite node via link aggregation rather than hang both off the Opnsense box if he wants to make full use of his 2gig plan with no scripting.
You mean AiMesh in AP Mode with GN1 enabled and VLAN 501/502 configured on the OPNsense box?
No the OPNsense just needs random vlan interface(s) defined on the port the primary mesh node is attached to in order to add additional subnets assuming he'll be bridging his physical interfaces with his primary subnet IP. BSD is kinda sucky/primitive vs Linux in that you can't bridge vlan interfaces or do vlan filtering on a bridge. You can only define a vlan on one physical port and a managed switch is necessary for any addl ports - tagged or untagged. Has nothing to do with the ASUS 501/502 GN vlans across mesh nodes. The only 2 vids he definitely should NOT pick for his OPNsense box are 501 or 502 the other 4092 tags are fair game.
How you do link aggregation to the node?
I believe his current model supports bonding ports 1 & 2. Before I got rid of my RT-AX86S I had it wired backhaul link aggregated as a mesh node to my gt-ax6000.
Why mesh nodes and not just 2x routers in AP Mode?
That's the setup OP mentioned he had.
I believe this doesn't work in AiMesh even if the GUI allows it as setting.
It was working for me between my 6000 and former rt-ax86s. Funny thing is I couldn't get AiMesh to work between 2 gt-ax6000s with just one cable no matter what I tried. Anyhow, if you don't mind, my suggestion to OP was kinda tongue-in-cheek, and this is probably a good place to stop hijacking his thread any further based on it.
my suggestion to OP was kinda tongue-in-cheek, and this is probably a good place to stop hijacking his thread

Better hardware firewall and reusing existing Asus routers as APs is a question coming quite often. This is a real alternative for the OP as well. Every time I ask you for specifics I get general statements only. When you start saying something - say it all. I would like to see something like this instead:

AiMesh is not needed in this configuration and OP can have 2x 2.5GbE connections to routers + WAN/LAN 2.5GbE ports with something like this:

Was going to suggest PFSense on one of those appliances. The newest versions support i225’s. Their beta addressed the i226 Intel drivers. Which for most of those bare appliances the network chip is i226. You can also include and use Realtek’s driver so Realtek based 2.5gb NIC’s work great.
I used AX6000 for 3 days, overall very glad with performance. However, the 2.4Ghz signal is no difference to AC68U.
And why would you expect it to be?

Did you try relocating the GT-AX6000 to optimize the 2.5MHz band performance? Even a few inches (in 3 axis') can make a substantial difference.

