I guess I'll provide my 30,000 ft view. IMHO, guest and IOT clients are the biggest security risk to my home network at this point, just a tad above my concern about my wife and daughter getting suckered into allowing a socially engineered network intrusion. The built-in ASUS guest network capability does not meet my needs for two reasons. One of the two issues I'm trying to resolve now is that while the built-in ASUS guest network capability can isolate guests from my "local" LAN, it does not isolate guests from my VPN LANs. I have two site-to-site (router-to-router) "2-way" VPNs permanently enabled to link my local LAN to two remote LANs. When the ASUS guest network capability is enabled on the local LAN with "Access Intranet" disabled, guests on the local LAN can still access all resources on my remote LANs.
So I'm trying to find a way to isolate local guests from my remote LANs. I'm currently exploring two options, one of which is using VPN director in combination with the ASUS guest network capability to prevent guest clients on my local LAN from accessing the resources on my remote LANs. I was hoping that VPN director could be used to prevent a subset of my local LAN IP range from accessing resources on my VPN LAN's, but its not working. To clarify on this, I have my guests and IOT devices set to use auto DHCP IP assignment, and I attempted to use VPN Director to send my auto DHCP range to the WAN as a means to prevent access to my VPN LANs. My auto DHCP range is set to xxx.xxx.xxx.128/26 (128-191), and I have a rule in VPN director to send xxx.xxx.xxx.128/26 to "WAN". However, it does not prevent local LAN guest clients from accessing my VPN LANs.
Hopefully that all makes sense.