I think that you may get what you want by following the guest network guide, but in the firewall config
- do not setup forwarding from guest zone into wan zone,
- instead set forwarding from guest zone to lan zone.
I have not tried it, but that should enable the guest zone devices to communicate with devices in Lan but not be able to reach wan.