Restrict internet access to certain devices


I have this scenario: My router has 2 ways to access the internet:

One is a lte stick (device eth2) which is always connected and the other is my phone (device usb0) which is only sometimes present. I have set up metrics so that when both devices are present all traffic is routed over my phone.

What I now need is this:

With my phone present all clients should be able to freely access the internet via the phone, however when my phone is not present I only want 2 clients to be able to access the internet via the stick, every other client should not be able to use the stick.

How do I do that?

Create two separate wan-like firewall zones then allow unconditional forwarding to the phone (standard config forwarding) but write conditional rules for the stick.