I got it to work with a little trick, using nonstandard subnet masks:
The primary router's internal LAN is set to:
- Router IP: 192.168.1.252
- Mask: 255.255.255.0
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.255)
The secondary router is connected through its WAN port to the primary.
Its internal LAN configuration is set to:
- Router IP(secondary router): 192.168.1.1
- Mask: 255.255.255.128 (== .10000000b)
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.127)
Its WAN Configuration is set to:
- Gateway: 192.168.1.252 (The primary router)
- Router IP: 192.168.1.249 (The secondary router's outward-facing IP)
- Mask: 255.255.255.248 (== .11111100b)
(so valid IPs in this subnet are in the range 192.168.1.248-192.169.1.255)
(this was necessary since WAN and LAN may not have overlapping subnets
This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet.
But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between 192.168.1.0 and 192.168.1.128. That IP range is not forwarded by the secondary router, since that is also the local subnet of the secondary.
So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than 192.168.1.128.
It would be even better if I could block all IPs lower than 248, but I do not think that is possible with subnet masks.
Enabling guest mode with wireless isolation will additionally prevent guest machines from connecting to other guest machines or the secondary router.
Nothing prevents guest machines from connecting to the primary router, since those requests are still forwarded by the secondary, but a good password should suffice for that case.