By accident I have managed to solve this problem finally, very cheaply.
(I had thought of all kinds of schemes involving VLANs which were ugly and complicated. I had also hit on the idea of using a second Firebrick router (since I have a spare) to police the guest wireless LAN on a separate WAP. But that means I have to obviously buy another access point and what's worse waste a precious 2.4GHz channel devoted to the Guest SSID. I had also thought about doing the same thing by buying a cheap Ethernet wireless firewall/router.)
The other day I upgraded the software in my existing ZyXel NWA3560-n WAPs. Quite unexpectedly I discovered that the upgrade had added a load of very valuable features, many completely undocumented. After a lot of digging around and searching in the docs for other ZyXel products, I discovered the meaning of a mysterious new L2 Isolation feature.
When the L2 Isolation (Layer 2 Isolation) option is selected for an SSID object, you specify a link to another object containing a list of MAC addresses, a whitelist. With L2 Isolation selected, the stations in the SSID in question can not talk to any nodes on the wired LAN or wireless stations in other SSIDs. The whitelist is a list of exceptions to this rule, holes in the L2-layer firewall surrounding the SSID, my Guest WLAN, so that the guest stations are allowed to talk to certain machines such as the gateway and the DHCP server and anything else you please. This allows the Guest WLAN clients to access the Internet, which is the whole point, but nothing else.
So job done, and no extra kit needed nor any really ugly complex config. I have a small maintenance burden though - I need to be careful to remember to maintain the list of MAC addresses, which currently contains only the MAC address of the router, and update that should I ever swap the router out, or else one day guests will be unable to access the Internet or acquire IP addresses and I will be left wondering why.
(There is another option “Intra BSS something-or-other” - which I was already using - which prevents stations in an SSID from talking to others in that same SSID. Useful but not what I needed. It at least would stop guests from attacking other guests.)