So we are talking Instant?
Under the access tab when configuring the SSID you can choose network-based access, which basically allows you to make an access list for all users associated with that SSID.
This is usually how i configure my ACL for guest networks.
Allow DNS to any destination
Allow DHCP to any destination
Deny any to 10.0.0.0 255.0.0.0.0
Deny any to 172.16.0.0 255.240.0.0
Deny any to 192.168.0.0 255.255.0.0
Allow any to any destination
There are obviously some modifications you can do here, for example if you are using google DNS servers the first rule would not be needed. Or just specify the DNS server which are handed out by the DHCP server.