1. Create a second access point
2. Create a second LAN network
3. Create a new Port Based VLAN, set all LAN ports to OFF, uncheck primary Access point used for internet and check your newly created Wifi for VoWiFi. Save settings.
4. Create firewall rules
5. Specify which ports you wont to accept separated by space. In this case you want 500 4500. Save settings
6. Add a new rule as in step 4. In edit page specify action as Drop
7. Your settings should look something like this:
Please note: drop rule should always be the last one, and accept rules should be above it.