What is the role that the guest users fall into after connecting to the SSID?
1. Create a netdestination "internal_network" and add your internal networks to it.
2. Create a ACL
any alias internal_network any deny
3. Assign ACL at the top of the list of the guest-user-role