Seems that ETH01 is the wan side of ZS, (maybe is a DMZ of another router), so, let say that ETH00 is the interface to which the APs are connected and where the CP is in listening, I’m now assuming that (just as sample):
ZS def-gw 192.168.2.1
other network, 172.16.0.0/20
I’d manage the APs (192.168.192.51-64) from both networks 192.168.2.0/24 and 172.16.0.0/20 ( managing pc must know to reach the network 192.168.192.0/22, which is behind the 192.168.2.x interface of ZS, their default gw must have a route to that network) allow the users, once authenticated to the CP, to access the web, while denying the access to the private networks beyond the ZS.
Forward chain, default policy DROP
1 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 destination IP range 192.168.192.51-192.168.192.64
2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 172.16.0.0/22 -> 0.0.0.0/0 destination IP range 192.168.192.51-192.168.192.64
3 ETH00 ETH01 ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 source IP range 192.168.192.51-192.168.192.64 state RELATED,ESTABLISHED
4 ETH00 ETH01 ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 172.16.0.0/22 source IP range 192.168.192.51-192.168.192.64 state RELATED,ESTABLISHED
5 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 10.0.0.0/8
6 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 172.16.0.0/12
7 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 192.168.0.0/16
8 ETH00 * time based rule .......
9 ETH00 * (other time based rule ....)
You may want to add a rule in Startup Script,Nat and Virtual Servers, for avoiding that the APs’s ip addresses are NATted during the management
iptables -t nat -I POSTROUTING 1 -o ETH01 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 2 -o ETH01 -d 172.16.0.0/22 -j ACCEPT
For devices in the same broadcast domain, ZS is irrilevant, you have to use some kind of client isolation/L2 isolation on the APs for deny devices to see each other.
And also, you may want to deny the ZS’s management from the wifi network, look in Setup, Web and ssh