IoT (limited internet) wifi AP from second OpenWrt

Edit: There is already a good guide on how to do similar here, I don't know how I didn't find it earlier

Hello, I'd like to create a wifi AP for untrusted gadgets in the home to have no access to the internet (or maybe limited access later), where the wifi radio is on a 2nd OpenWrt router/switch.

The primary router (WRT3200ACM with OpenWrt 21.02) serves the LAN and wifi for trusted devices and provides internet via tun0.

A second router now (WRT1900ACS with OpenWrt 23.05) connected via its LAN port expands available ports and radios with DHCP disabled, effectively as a switch with wifi. Testing with my laptop works so far.

Now I'm uncertain how to create an IoT AP on the second router with access to the LAN but blocked internet on the first router. Please can someone point me in the right direction?