Create a bridge for your “restricted” SSID (only, no other interfaces). Assign it an IP on its own subnet and set it up for DHCP. Put it on its own firewall zone. Set the rules as you desire on that zone.
Probably no forwarding allowed. You probably want to block all input except for DHCP, DNS, and whatever you use for file sharing as well.