Which would be more secure to add guest wifi

I have a spare max transit that I’m thinking of using as an access point to provide guest wifi to people who come by with untrusted/unknown devices, etc.

Guest wifi doesn’t need to be redundant.

With the goal being to keep the existing office lan as secure as possible, which would be better:

1.) connect the max transit to the starlink’s wifi with wifi as wan (dhcp) so it is not connected to the balance which provides office lan; the balance connects to the starlink ethernet adapter with no changes from current and has a dhcp wan ip from starlink also; all office traffic is over speedfusion so double nat makes no difference. Max transit blocks traffic from it’s lan guest wifi to 192.168.100.1 so guest wifi devices can’t stow starlink or otherwise view/change starlink settings.

starlink-guest-wifi-1 - Copy.jpg2456×1810 187 KB

2.) setup a guest vlan on the balance and connect the max transit to the balance lan with interlan vlan routing set to disabled.

starlink-guest-wifi-2 - Copy.jpg2594×1594 188 KB

Option 1 is more secure because it is easier to get right and all untrusted traffic stays on the WAN of the Balance 2.

Option 2 is less secure because it’s easier to get wrong - however you get more control over the guest traffic and so its easier to stop them hogging all the bandwith.

When configured properly, Option 2 is as secure as Option 1.

Thanks very much! Appreciated.