I use a similar setup except there's a switch in between.
So Winbox is your friend here...
- In interfaces select eth10 and add a VLAN interface on ether10, with the proper vlan id, let's say called vlan-guest
(From here on, that interface is treated like any other network interface)
- Give it an IP address outside any other subnets, e.g 172.16.0.1/24
- Create a IP pool that will be used for guest access, lets say pool_guests, holding e.g. 172.16.0.100-172.16.0.200
- Create a new DHCP server on interface vlan-guest using pool_guests
- Add a new DHCP network with address 172.16.0.0/24, gateway 172.16.0.1 and DNS 172.16.0.1
At this point, you may test the setup. The client connected to the Guest SSID should get an DHCP address from that pool, with the proper gateway and dns server.
Next you need to enable forwarding and masquerading for this subnet, while maintaining isolation.
1. Forward: Accept established+related from pppoe to vlan-guest
2. Forward: Accept everything from vlan-guest to pppoe
3. Forward: Drop everything else from and to vlan-guest
4. Input: Accept ICMP from vlan-guest (for debug purposes)
5. Input: Accept UDP port 53 (DNS) from vlan-guest
6. Input: Drop everything else from vlan-guest
Masquerading on WAN needs no change if it is already set up.
This should do it.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.