Using firewall zones alone won't be enough to control access to the lan since you don't have any wan interface. You'll have to add firewall traffic rules that controls access from the guest network and which allows access to 192.168.1.254 and block access to 192.168.1.0/255.255.255.0.
ok, I almost killed my config...
I wanted to put the guest in same subnet as lan to check if it's easy to create rules....But I kind of killed access to luci and ssh
I recover using failsafe boot and ssh (at least I learnt how to do this ).
This area is a bit sensitve for my knowledge....
Why do you want the guest network and lan to use the same subnet?
If you want to use the same subnet then you have to bridge the interfaces since you can't use the same subnet on multiple interfaces. But traffic between devices on the same interface will be handled by the switch or bridge directly and won't reach netfilter/iptables. Though you may be able to use ebtables to implement a bridging firewall.
But I think I cannot achieve this now.
if I understood correctly, it needs to set a route in the router (at § Tell your router about the new network ).
But my current router (from my ISP) does not offer any option to define a route.
I plan to change my setup soon to add a firewall (maybe opnsense)...things may change after that.
I'm back ! ok, got some changes
I was not able to understand how to handle masquerade....
But in the mean time, I dropped my ISP router (I mean I set it to bridge mode) and I setup an opnsense device as main firewall / router / dhcp.
So I set a route as suggested in the tutorial.
unfortunatly, I was not able to make the guest wifi work.
Here is where I'm stuck:
Trace route from LAN (192.168.1.17) to guest (192.168.4.106) works..I can reach my guest phone from my lan.
Trace route from my phone (connected on guest) as 192.168.4.106 to my router (192.168.1.254) does not work. it's stops at the 192.168.4.1 which the "guest" interface associated to the guest wifi AP