Separate VLANs on Router+AP

My hardware setup runs on two ubiquiti devices: EdgeRouter X + UniFi AC Lite

The AC is a bridged AP and does nothing else other than bridge LAN traffic to the ERX.

What I'm trying to achieve is a separate WLAN+VLAN that is firewalled off from the rest of the network and has no WAN access at all. However it must be able to talk to other devices on the wired LAN.

On one device this is easy to do, but I'm not sure how to do this when the router and the AP are two separate devices - since the router sees all WLAN traffic as coming from the AP IP, so I can't differentiate between different packets in the firewall.

Any ideas how to do this?

If you vlan tag all traffic between the router and the AP then there should be no issue. The packets will be tagged so that your AP and router will be able to sort them. I have a similar setup where my AP provides two separate SSID which belong to two different /24 networks (invisible to each other). All firewalling is done on the router.

Yeah I assumed that is possible. Any place I can look at a sample setup or some relevant documentation? Thanks!