Restrict one new AP to only access WAN

I have a Turris Mox, with a guest network (+ guest wifi) setup. I want to setup an wired access point using an old(ish) router, where I don’t want to allow any access to the LAN, only to the general internal (WAN).

I’m trying to use firewall rules, routes and traffic rules, but nothing seems to get this done. Is there any recommended way to do this if the guest network is already set up and hopefully should be working?

Take out one lan port from Br-lan and put it in br-guest-turris. And use than lan port to connect to your old router. Be sure to disable DHCP on the old router. And voila! You have dumb AP setup

I have not been specific: the AP part is working, I have both Internet and LAN access from it. The AP is connected to the Turris Mox through an intermediate switch, and I cannot dedicate a lan port to it.

However, I do want to restrict the LAN access from that AP, I just want it to be guest-network only.

Whithout knowing your configuration I cannot help. By default access to LAN fro GUEST is denied. Did you enable forwarding from Guest zone to lan? Is your switch managable?