Restricting 2 subnets but sharing the internet connection

    I've been searching around and seen similar requests but not one that fits my situation exactly, so apologies if I've missed it somewhere...

    I have a router from my ISP that provides internet service. I use a wired connection to another part of the building which has 2 main things: 1) PCs connected to a hub and 2) Guest LAN to provide WIFI access.

    I want the guest LAN to have internet access but NOT access to see the PCs.

    I am using Tomato on a Linksys WRTG54 as a wireless access point. DHCP is turned on for the LAN and provides the guests with IPs on a separate subnet.
    Currently it's 'almost' working. Guests on the WIFI AP can connect to the internet but they can also still see the internal LAN machines. I want them to have internet access but not access to the machines on the LAN.

    Is what I am looking to do possible? I wouldn't mind adding more equipment if necessary to accomplish this.

    I'll attach a diagram.

    I tried adding 2 rules to the firewall section of the Tomato AP to 1) drop all packets between the LAN and WAN and 2) allow packets from the LAN specifically to the gateway router's IP, but this didn't work. Any ideas?

    Many thanks

    Just put your wifi on a different vlan with its own bridge. That will do the trick.
    Could you give a bit more information on what you mean?
    I added another vlan and bridged the wifi to it.

    However now that vlan and the wifi can't make it to the outside world. I tried pinging and pinging an external IP address.
    Surely there's one other thing I need to do to get the new vlan to be able to reach the gateway router and thus the outside world?

    Many thanks
    Did you find a solution to this? My DHCP is provided by my isp router. I setup a tomato router and everything works except vlan. I have DHCP disabled for the main bridge. I have DHCP enabled for the VLAN. While I can connect to the vlan via wifi and obtain an ip address. Because the vlan has to be on a different subnet, I can't get access to the Internet.
