My hardware setup runs on two ubiquiti devices: EdgeRouter X + UniFi AC Lite
The AC is a bridged AP and does nothing else other than bridge LAN traffic to the ERX.
What I'm trying to achieve is a separate WLAN+VLAN that is firewalled off from the rest of the network and has no WAN access at all. However it must be able to talk to other devices on the wired LAN.
On one device this is easy to do, but I'm not sure how to do this when the router and the AP are two separate devices - since the router sees all WLAN traffic as coming from the AP IP, so I can't differentiate between different packets in the firewall.
Any ideas how to do this?