The point being made is you have provided very little information to help us answer your question.
/export hide-sensitive file=yourconfig
If you have ubuntu on same subnet as the main LAN its difficult to separate out.
Much better to put that wifi on its own VLAN, or off the bridge on its own LAN etc.......
Then you are separated from the main LAN by L2 and you an apply L3 firewall filter rules (forward chain) that state
allow local traffic to ISP (lan to wan)
drop everything else (and thus vlan to LAN or LAN to VLAN traffic is not permitted).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)