DanAir wrote

Just a dumb switch. I could get a small managed switch to allow me to create separate VLANs. Overkill?

No overkill, but the solution for your guest network.

With a managed switch you can use an asymmetric VLAN to split your LAN into two isolated VLAN segments and share a common resource such as an Internet router. But note that this is kind of a »poor man's guest network« since both LAN segments (VLANs) still use the same broadcast domain of the LAN, which means the router will send broadcasts to both LAN segments. However, access to devices in a different LAN segment from within another LAN segment is not possible.

Setup of a managed switch (e.g. a TL-SG108E):

• VLAN 1: the shared resource (Internet router) connected to switch port #1.
• VLAN 2: your guest LAN segment in house 2, that's the CPE in house 1 connected to switch port #2.
• VLAN 3: your private LAN segment in house 1, PCs, laptop etc. connected to switch port #3 (and ports #4 to #8 if needed).

Port settings:

• Set port #1 (router) as untagged member of VLANs 1, 2 and 3, PVID=1.
• Set port #2 (guest LAN via CPE link) as untagged member of VLANs 1 and 2, PVID=2.
• Set port #3 (private LAN) as untagged member of VLANs 1 and 3, PVID=3. Likewise with ports 4 to 8.

Effects:

• Traffic from guest LAN to private LAN or vice versa is not possible.
• Traffic from guest LAN gets tagged with VLAN ID 2 and reaches the router which is a member of VLAN 2.
• Traffic from private LAN gets tagged with VLAN ID 3 and reaches the router which is also a member of VLAN 3.
• Traffic from the router back to the clients gets tagged with VLAN ID 1 and reaches the client in guest or private LAN which are also members of VLAN 1.

Note that you must not use the router's built-in switch in such a topology (except for the uplink of the managed switch and other shared devices such as network printers etc.).