> Do you do DHCP from the firebrick?
Yes. For IPv4. Not for IPv6, yet, unfortunately. IPv6 devices just get RAs from the FireBrick to give them the global prefix and then spin an address using one of the usual standard mechanisms, but I don't do IPv6 yet.
> Proper access point "guest" SSIDs tend to work in one of two ways. At the simplest they offer a separate SSID, allowing you to set different security and client isolation, and mapping onto a separate VLAN so you can set different policies on the wired LAN.
Which is what I already do with my Zyxel NWA3650-n, except that I haven't sorted out the VLAN handling yet. It can tag packets with a tag if your choice, by the look of it. But I don't know what to do with that at the Firebrick end. (Firebrick speaks VLANs to some extent, an _interface_ can be associated with a VLAN tag value.)
> Assuming your AP is of the first sort, you could you configure a separate VLAN for the guest WLAN, and connect this to a separate L3 interface on the Firebrick. Separate DHCP scope keeping all guest stuff away from your own network. Then you'd need rules on the Firebrick permitting that network Internet access only.
Which is where it all falls apart for me. :-) I'd need to get some serious Firebrick support for this, which I can do, the generous support you get from Andrews and Arnold (who I bought the FB from) is good.
I currently apply 'firewall' rules to IPv4 packets in the guest range to rate limit the traffic coming in to those addresses, so guests can't hog the Internet, not unless they are smart enough to use IPv6 anyway, and seeing as that is browsers' default nowadays, then this is a serious flaw in this plan.