See my reply in post 3. Use the router in Router mode and only give out the Guest ssid and password for that router. Then guests will stay isolated.
Could you help me understand this approach better please.
If the secondary device, intended as an access point, is operated in router mode, then it cannot be used as a media server for the whole network, unless the ASUS exposes its internal features on the WAN interface in router mode (and I do hope that's not the case).
This means that if one wants media server functionality, it must be deployed on the primary router, which implies that it would be visible to clients of the guest network without further measures. The same applies for any other functionality at the primary router, such as additional subnets, a connected VoIP box, the config pages of the WAN modem(s)/router(s) etc.
If the above is not wrong, then in the absence of VLAN tagging, I think there's still hope regarding operating the second device as an AP along the lines of the following (which would also help balancing load -- let the primary device handle WAN and the secondary be a media server).
With additional ebtables/iptables rules you could block certain ports towards your router, I guess.
After a first look, it might e.g. be possible to use the
ebtables MAC NAT mechanism to present all guest WiFi traffic to the outside with a unique (otherwise nonexisting) MAC address (if there's a per-SSID
ebtable or any other filtering available to distinguish guest WLAN traffic from the rest). Additionally, packets must be restricted to targeted the primary router. Then, in the primary router, all traffic with the guest WiFi's MAC address must be restricted to target the WAN port.
Just a thought at this point in time. Will look into this fancy stuff but can't name an ETA now.