I’m sure this is an FAQ, and while I’ve read a few helpful articles I can’t seem to get my solution dialed in.
In short I have a Virtual AP (VLAN 
on an RB951G-2HnD. This VLAN is trunked to my internet connection device. While this works well, I would like for my guest network to be isolated such that it can only talk to my edge device (with an IP of 10.11.12. and no others.
Is the best approach to have a firewall rule on the WAP, or do I need firewall rules at each network device traffic passes through? On a mikrotik device, what should that rule look like?
Thanks in advance for any help, I’ve tried a few different rule combinations which no success.