Wireless separate zone behind a RED 15W - issues

Question

We currently have a Sophos SG310 running UTM 9.402-7. We have a remote location with a RED 15W in Standard/Unified mode (so all traffic is tunneled to the UTM, internal and external). I am trying to add another wireless network in a separate zone so I can control its traffic separately from the other wireless network. I can connect to the new wireless network without issue and I receive an IP from the DHCP server running on the UTM. I can also resolve DNS and ping out to the internet from the wireless network (ping is low and stable, no observable packet loss), but when trying to load a website, traffic is passing so slowly that the page pretty much never loads. I assume at least some traffic is passing because it never really times out. The browser just sits there like it's waiting for the server. Normally if you have no traffic passing, it's going to timeout within 30 or 60 seconds. That doesn't seem to happen. The other wireless network that is bridged to the LAN works fine. 
 Troubleshooting: I had to physically drive to the remote location to troubleshoot, so I didn't have a lot of time, but below is what I tried: 
 I turned off web filtering, and opened up the firewall -> no go. I rebooted the RED and tried toggling the interface, NAT, and firewall rules on the UTM off and back on -> no go. I tried adjusting the MTU on the interface -> no go. I tried removing the wireless network from the AP and re-attaching it -> no go. 
 Below is an overview of the configuration: 
 Wireless Protection > Wireless Networks : Created a new wireless network: 
 SSID: Test-Network Encryption: WPA2 Personal Algorithm: AES Client Traffic: Separate Zone Client Isolation: Disabled 
 Access Points : Attached Wireless Network to the RED Access Point - the network shows up and can connect to it without issue Interfaces : I created an interface using wlan2 that was created for the wireless network 
 Name: Test-Network Type: Ethernet Hardware: wlan2 (Remote Wireless Network) IPv4 address: 10.2.1.1 Netmask /24 MTU: 1500 (same as all the other interfaces) 
 Network Services > DHCP : Created DHCP server for the wireless network - seems to work fine. Devices connecting to the wireless network get an IP as they should 
 Interface: Test-Network Range start: 10.2.1.100 Range end: 10.2.1.254 DNS is set to Google Default gateway: 10.2.1.1 
 Network Protection > Firewall : I created a rule to allow DNS, HTTP, HTTPS, PING services from Test-Network (Network) to Internet IPv4 
 Network Protection > NAT : Created a new Masquerading Rule for Test-Network (Network) > External (same as most of the other networks) 
 I also setup Web filtering, but I won't even bother posting that config here as I have the issue even with web filtering turned off. 
 Any clues? Is there something obvious i'm missing? Is there a better way to accomplish this? Any help is appreciated. Figured i'd try here before opening a support ticket.

SGICT · Accepted Answer

FIXED! 
 After a month of working with Sophos technical support, didn't get anywhere with this, they were completely stumped so I battled on with this on my own and nailed it, well for my customer anyway. 
 I had to set the MTU size of wireless network which I wanted to isolate to 1100 from 1500 and alter the primary DNS of the DHCP scope on the UTM for this wireless network to Google DNS from the UTM's own one even though I had allowed it to query DNS engine on there. 
 What is really odd is some sites were working fine before this change but others weren't. The sites that didn't work still functioned fine for a wifi network set to AP Bridge to LAN, it was only separate LAN that broke. 
 Very odd but hope this helps anyone who has this issue.