Thank you for your efforts, it seems we are on the right track, but it did not bring the desired result.
Here is the Zyxel solution:
Zyxel Knowledge Base Article: How to isolate guest wifi from accessing main resource on NAP series?
It is working very well.
Found an older post by firefly from Cambium.
I think this is the solution:
| Rule | Description |
|---|---|
acl deny mac 17 any ff:ff:ff:ff:ff:ff out |
deny L2 broadcast packets going on air |
acl permit mac 24 any any any |
allow all other packets in both the directions |
but something is missing, because this rule blocks communication between clients, but it also blocks the Internet connection.
Where did I make a mistake with the setting?