Discovered that the issue was due to having a local DNS server. I have a DNS server on the main network to give better response times for DNS queries. I'd configured the DHCP server to return the IP address of that DNS server to the clients. Unfortunately, what I hadn't realised was that that IP address was also returned to clients on the guest network. Obviously, that's not accessible from the guest network! So although clients were able to connect to the guest network, they didn't have access to the internet as name services weren't working. I'm surprised that the main and guest networks share the same DHCP settings: they are meant to be separate networks after all.