Grant specific sub-network devices access to upper network

        Here's an outline of my current network. Solid lines are wired connections and dotted are wireless:
enter image description here All clients must have access to each other. These devices are fixed in number and positions. Guests must not have access to LAN, but have to have access to internet. If I put 941HP router in AP mode, everyone has access to both, LAN and internet. If I put 941HP router in router mode, all the routing features are unlocked and I can configure it perfectly for the setup, with virtual SSID bandwidth limited guest network, etc. BUT then not all clients have access to each other. I have now been informed about hardware limitations in the original question, so to move things ahead and maybe even make a question on-topic in the process, I'll rephrase the punchline: Which device in the diagram would you replace and with which (non-consumer-grade) device to achieve the goals stated with minimum resources expanded (time, effort, money, all considered)?

