Thanks karog, I readed it before. But this approach uses firewall with accept default policy, guest network can access to every network not listed on the group, and we want to setup drop policy as default and rules more oriented to listing only accesible network and deny every other not explicity permited.
The main problem I have is: if only accept local networks WORKING_NETWORK explicity, I will not be able to start new connections to internet. Maybe the solution comes by adding new rule with the ROUTER IP or default router gateway as accepted destinations. But I don't know if this is common setup or not recommendable practice. Any suggestion?