This will block on ARP, I want to block full connectivity between the USERs in the same network.

That is the best solution...

my switch doesn't support PVLAN

The problem is none of the traffic between devices on the same VLAN will traverse the router. Since they are on the same VLAN / IP Subnet all traffic will stay on the switch.

The only thing i can think off now is to configure router on a stick with multiple /30 sub interfaces on the router interface connecting to the switch. With a /30 you can have 2 host per network, one for the guest device and one for its default gateway aka the router sub interface. You'd then use an ACL to prevent each /30 from talking to each other.

/30 subnet solution means TONS of lines in the router. Can I do it via route-map or route-policy ?

Are you asking if you can use policy routing instead of /30's? If so the answer is no. Per my previous comment the traffic isn't even going to hit the router if all devices use a /24

PVLAN is the right solution. Unfortunately you can't do this. Whatever solution you come up with won't be pretty/optimal.

I found a switch that has private vlan option, now here is the design

Router --- connect to Switch1 --connect to Switch2 --connect to AP

I am going to configure switch 2 port that connected to AP as isolated so should work I believe. 

Command doesn't work in my AP

AP model = 3600i

It should according to the Aironet documentation.

http://www.cisco.com/c/dam/en/us/td/docs/wireless/access_point/15_2_4_JB/configuration/guide/scg15_2_4_JB3a.pdf

bridge-group "bridge group number" port-protected

Chapter 6 page 30 describes the syntax for Public Secure Packet Forwarding (PSPF) it also covers protected ports on switches using multiple AP's

Mark