Why not make a route to the gateway of the Edge Router. Then set up an exclude for the rest of the subnet in the firewall?
As long as the gateway can also make a route to the guest AP, this will work. (the request was for no double-nat)
After reading how this thread has progressed, I still stand by my original recommendation - create a "guest network" interface on the main router - either as a vlan or as a stand-alone ethernet interface - logically this doesn't matter to IP - it only matters that the router has 3 IP interfaces: wan, lan, guest and that these are on different broadcast domains (i.e. not multi-IP in the same LAN). If simple bridge-only APs are connected, then they will broadcast the LAN if connected to a LAN interface of the router, and they will broadcast GUEST if connected to a guest interface of the router. (by this, I don't mean the SSID, but the actual network that associated stations will be connected to). It's very easy.
In a network you control, this is the best solution. The second-best is to route a guest IP range at a wireless router which will have a firewall rule blocking guest->lan IP range packets.
Using vlans instead of physical interfaces does have one advantage - a single AP could be configured with both SSIDs, using the vlan tag to keep 'em separated from each other on the wire.
Somewhere in this thread, I think I recall seeing someone mention a portable guest AP that you can just plug into anything -
If you want a portable "plug it in anywhere" guest AP, then the AP needs to operate as a NAT router with the ethernet interface as its WAN - yes this will introduce double NAT, but double nat isn't really harmful for most applications - VoIP, some gaming, and possibly FTP could be affected (usually, it's applications that require NAT helpers anyway) but the standard stuff you want to offer a guest network for (web, email) will work through double NAT without any problems at all.
The real tricky part of the "portable" guest AP is in restricting access to the immediate IP range of whatever the WAN is connected to. If the wan IP of the portable AP is dynamic, then you're either forced to use scripts to update a filter list with whatever range of IP is currently on the WAN, or just block dst-address-list=private_ip where private_ip = 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12. I recommend the second method because this would work for any arbitrary private IP topology upstream from the portable AP. Also, I would recommend that such an AP should use DNS proxy, with the AP itself using whatever DNS server is assigned by the host network - because you never know what policy a network will have. If you tried to just use 8.8.8.8 or some other well-known public DNS server for guest clients, this would break if connecting the portable AP to a network that blocks outbound DNS requests and requires you to use a local DNS server with a private IP....
If you really wanted to get cute and GUARANTEE that your LAN IP of the portable guest router AP would never conflict with any LAN you'd connect it to - then try using an obscure LAN such as the documentation prefix (i.e. 192.0.2.x/24) - which is a bit of a breach of standards, but you're going to NAT that out anyway, right? Sure, 192.168.174.x is rare, but if that's the guest AP's lan range, and you plug it into something using that subnet, it would fail - and you want mega-portability for this thing, right?
