[RidgebackKing]

I have two routers on my network, my Verizon Actiontec with the wireless disabled and an Asus RT-AC87U for the wireless. All of my wired connections go to the Actiontec. I tried setting up the Asus as an AP but I could never get a guest network to work in AP mode so my once single 10.10.10.0/24 network is now 10.10.10.0/24 on the Actiontec for the wired and 192.168.1.0/24 on the Asus for the wireless.

I created a guest network on the Asus and while they cannot connect to any other 192.168.1.0/24 PC's, I need to prevent them from accessing the 10.10.10.0/24 network of my wired PC's as well. On the asus, it looks like the guest network is interface wl0.1. The 10.10.10.0/24 network is vlan2. How would I use ebtables (assuming that's the best solution) to prevent my 192.168.1.0 (wl0.1) PC's from talking to my 10.10.10.0 (vlan2) PC's?

If it helps:
admin@RT-AC87U:/tmp/home/root# ebtables -Lnv
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@RT-AC87U:/tmp/home/root#