Yes, each interface on a routerboard can be it’s own separate routed interface. So you can set up ether3 (as long as it’s not part of the switch chip) to be it’s own interface with it’s own DHCP server, IP subnet, Hotspot, or any other services you want to run on it.
With that being said, since you have an umanaged switch on your current LAN, that means you MUST use separate hardware for the guest LAN and the normal LAN (switches and access points). Since the routerboard then becomes the layer3 hop and traffic needs to flow over it to get from ether3 to ether4, you can block all connections between the two in the firewall. If you wanted to further isolate people on the guest LAN from each other, then you need to purchase hardware that will do that for you, that is not something that can be solved or handled on the router, it needs to be done at the edge of the network.
Yup, those are the filter rules you want to prevent all communication between ports 3 and 4. (provided ports 3 and 4 are not part of the same switch group)
As dum3r says the only way if you don’t have a manageable switch U must have two different physical LAN as that you can connect your guest LAN directly to the eth3. It will be automatically separated from the rest of your Network because by default All interface on the router does not communicate until you bridge it or make route.
You bet you can. I’m doing exactly that. Here is a firewall rule that allows the IP addresses that are in my “Privileged” list to access to the interface Ether4 (what I have named as E4-p7_207). You could also just have the specific IP entered instead of a list, but I have a couple of allowed locations and addresses, so creating a list make it easier.