Please help me to setup multiple WiFi SSID and extend them to AP via VLANS

Technical Support for Routers
1

OK, I start again.
My setup for the internal network is this:

ISP ↔ Flint2 WAN 2 ↔ Zyxel 1900 p1 ↔ Flint 1 (WAN)

I have the main SSID configured on both Flints and the Guest on Flint 2.
Also, I have:

  1. Unconfigured Lan 2 from the br-lan
  2. Added a new Interface named VOIP, added lan2 and configured Firewall just fine. I can access the ATA that is connected to this port without issue.

What I need now is to:

  1. Configure a new SSID for 2.4Ghz named IoT.
  2. Extend the 3 SSID (main, Guest, IoT) to the second Flint.

Since my last attempt to do so broke my network setup badly, I would like to follow a more detailed approach and I also need your help to understand a few things.

I start with the IOT SSID.

I want to add this configuration in /etc/config/network:

vi /etc/config/network
...
config interface 'iot'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.252'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '1'
        option isolate '0'
        option bridge_empty '1'
        option disabled '0'

and

vi /etc/config/wireless
...
config wifi-iface 'IoT'
        option device 'radio0'
        option network 'iot'
        option mode 'ap'
        option ifname 'wlan0-2'
        option encryption 'sae-mixed'
        option key 'ssid_password'
        option ssid 'my_iot_ssid'
        option disabled '0'
        option wds '1'
        option isolate '1'
        option hidden '0'

which is an exact copy of the guest interface.
Question 1:
How is it possible for this setup to work since there is no bridge configured? And this is the case for the Guest network too, since in luci we see that the Guest Interface is associated with the br-guest device but there is no definition of that bridge in the /etc/config/network, or in any other file that I checked.

An alternative method seems to be this:

config interface 'iot'
        option force_link '1'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.252'
        option igmp_snooping '1'
        option isolate '0'
        option disabled '0'

(I found this proposal here)

So, generally speaking I would like to understand how this is working.

2

Your bridge is made from that bit of config!

3

So, no need to define it anywhere else! OK, good to know.
So, which of the 2 possible options is the correct one? The copy from the guest network or the copy from link? Aka, should I create the bridge or not?
(The target is to extend this SSID to my other AP later)

And to clarify. The br-lan has a device named as such. But the br-guest doesn’t that’s why I am confused. Why is it needed for br-lan but not for the br-guest?