I'm having issues with comprehending this as I'm quite novice in networking.
Let's say there's main router at 192.168.A.0/24
And there are several routers connected to it. I've bought few new routers, all TP-Link.
Some of them needs access to everything and are set to a different subnet's like 192.168.B.0/24 and 192.168.C.0/24,...
Then there's couple of Archer C50 of too recent version to have stable OpenWRT images, so I kept original firmware and the original firmware has something called Access Control. where I can create hosts lists and just block their access to another hosts list specified by range not exhaustively. I haven't thoroughly checked, but at least that prevents pinging to those different subnets and as well it's hard to know for sure how TP-Link firmware exactly does that.
Now I have this TL-WR841N V13 , to which I've flashed OpenWRT snapshot(I was surprised to find out that this 13th version is 8/64). I want to use it as dedicated guest AP, without using VLAN switches or altering configurations of the main router. This router (lets say on 192.168.Z.0/24 subnet) is supposed to let all clients connected to access so called "The Internet", but prevent it's clients from accessing any other 192.168.A-Y.0/24 subnets devices.
So I'm looking for some hints as I don't entirely understand the complications. So from OpenWRT perspective would that be some specific firewalling, as when it goes there I remember watching videos of Nmap creator making fun of misconfigured firewalls. When I try experimenting with firewall settings I often end up having to reset this device again and again achieving nothing. And I don't seem to find an article describing something I have in mind, There are articles about guest wifi, but they dont seem to be exactly what I need. I even tried that at home with OpenWRT network appliance behind my OpenBSD main Tower router, following that procedure I've just ended up not getting internet access for "guests" and reading around seemed like those guides are for using OpenWRT as main router and just separating Wireless LAN from Ethernet LAN on the same device.
Another idea I've had was that using some external box and making wireguard tunnel for router as entry point and external VPS like an exit point creating "virtual cable". Thing is that in this setup main router cannot yet, be manipulated by me and it uses RouterOS (which is ugly).