I have similar setup with er-x and airport extreme as my AP.
here's what I did for a firewall.
as a warning, I'm just learning and wrote this myself after watching and reading what I could.
set firewall group address-group GUEST address 192.168.100.0/24 set firewall group address-group GUEST description GUEST set firewall group address-group LAN address 192.168.1.0/24 set firewall group address-group LAN description LAN set firewall name GUEST_IN default-action accept set firewall name GUEST_IN description GUEST_IN set firewall name GUEST_IN rule 1 action accept set firewall name GUEST_IN rule 1 description Established set firewall name GUEST_IN rule 1 log disable set firewall name GUEST_IN rule 1 protocol all set firewall name GUEST_IN rule 1 state established enable set firewall name GUEST_IN rule 1 state related enable set firewall name GUEST_IN rule 2 action drop set firewall name GUEST_IN rule 2 description LAN set firewall name GUEST_IN rule 2 destination group address-group LAN set firewall name GUEST_IN rule 2 log disable set firewall name GUEST_IN rule 2 protocol all set firewall name GUEST_LOCAL default-action drop set firewall name GUEST_LOCAL description GUEST_LOCAL set firewall name GUEST_LOCAL rule 1 action accept set firewall name GUEST_LOCAL rule 1 description Established set firewall name GUEST_LOCAL rule 1 log disable set firewall name GUEST_LOCAL rule 1 protocol all set firewall name GUEST_LOCAL rule 1 state established enable set firewall name GUEST_LOCAL rule 1 state related enable set firewall name GUEST_LOCAL rule 2 action accept set firewall name GUEST_LOCAL rule 2 description DNS set firewall name GUEST_LOCAL rule 2 destination port 53 set firewall name GUEST_LOCAL rule 2 log disable set firewall name GUEST_LOCAL rule 2 protocol tcp_udp set firewall name GUEST_LOCAL rule 3 action accept set firewall name GUEST_LOCAL rule 3 description DHCP set firewall name GUEST_LOCAL rule 3 destination port 67 set firewall name GUEST_LOCAL rule 3 log disable set firewall name GUEST_LOCAL rule 3 protocol udp set firewall name WAN_IN default-action drop set firewall name WAN_IN description 'WAN to internal' set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description 'Allow established/related' set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description 'Drop invalid state' set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description 'WAN to router' set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description 'Allow established/related' set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' set firewall name WAN_LOCAL rule 20 state invalid enable set interfaces switch switch0 vif 1003 address 192.168.100.1/24 set interfaces switch switch0 vif 1003 description GUEST_IOT set interfaces switch switch0 vif 1003 firewall in name GUEST_IN set interfaces switch switch0 vif 1003 firewall local name GUEST_LOCAL set interfaces switch switch0 vif 1003 mtu 1500 set service dns forwarding listen-on switch0.1003
