VLAN traffic segmentation between AP,switch and router

I found more info in this thread: Client isolation

It seems that this might be doable by tagging each guest AP with its own VLAN, then bridging them in router through package "kmod-br-netfilter" which add netfilter support for bridges. And then setting
echo 1 > /sys/class/net/br-guestlan/bridge/nf_call_iptables

Sounds plausible?