A couple of things to try, both involve SSH manipulation.
One thing that can be attempted, is to add a firewall rule, which drops packets from your wireless guest network destined to mobile interface.
You would simply need to login to router via SSH and add the following rule:
- iptables -I FORWARD -i wlan0-1 -o wwan0 -j DROP
In my testing, wlan0-1, was the wireless interface assigned with LAN IP. In your case it would be interface with 10.10.10.x IP address. To make sure, enter command:
It will list all available interfaces, look for the name with your wireless LAN IP.
This rule should be enough to prevent wireless clients from reaching internet through mobile interface. If you have a rule for the same purpose in Failover configuration from previous suggestion, it can be deleted.
Another workaround'ish suggestion, in regards to DNS issue, is to configure router to query all of the available DNS servers from both, mobile and wired interfaces, regardless of currently used WAN interface.
You would need to login to router via SSH and execute command:
Press letter i to enable editing and add the following line at the bottom in accordance to your details, as i the example below:
Once done, press Esc, then enter :wq and press Enter.
Lastly, execute the following command:
- /etc/init.d/network restart
You will get disconnected from SSH, but DNS issue should not be present after failover.