Issue 1
---------
Quickset configuration of guest wifi network not configuring IP correctly. No IP address issue to guest user.

Issue 2
---------
Once configured I can ping from the home network 192.168.88.* to the guest network 10.11.11.* .

My firewall filters are as follows and it does not work:

12 ;;; guest
chain=forward action=drop src-address-list=10.11.11.0/24
dst-address-list=192.168.88.0/24 log=no log-prefix=""

13 chain=input action=drop src-address-list=192.168.88.0/24
dst-address-list=10.11.11.0/24 log=no log-prefix=""

14 chain=forward action=drop in-interface=guestbridge
out-interface=!pppoe-out1 log=no log-prefix=""

15 chain=forward action=drop in-interface=!pppoe-out1
out-interface=guestbridge log=no log-prefix=""

Any suggestions on how to isolate the guest network from the home network?

Issue 3
---------
I also needed to set the ethernet connections as LAN. Only the PPPoE Client should be WAN.

Any help welcome.

viewtopic.php?p=908118

12 ;;; guest
chain=forward action=drop src-address-list=10.11.11.0/24
dst-address-list=192.168.88.0/24 log=no log-prefix=""

13 chain=input action=drop src-address-list=192.168.88.0/24
dst-address-list=10.11.11.0/24 log=no log-prefix=""

192.168.88.0/24 is not address list, it's address (with subnet mask so it matches multiple addresses but that doesn't make it address list). Address list is a list of entries, created under/ip address listand subtree, usually it's named.

For isolating two subnets, you only need rule in chain=forward. The chain=input breaks connections from somewhere to router itself, however your rule #13 above luckily only breaks one special case (when device from 192.168.88.0/24 tries to connect to router at its address 10.11.11.x). You could easily break management access if your rule was only slightly different.