See post:
http://forum.tp-link.com/showthread.php?99025-How-to-configure-Multiple-SSIDs-with-Multiple-VLANs-on-CAP-amp-AC-products

Hi, I'd like to expand on the question, since I'm looking for a similar solution, i.e. separate SSIDs for corporate and guest clients, with the guests limited to Internet access and prevented from reaching the corporate network.
I am using multiple CAP1750s, but that is for improved coverage only, so I'm not sure that the example in http://forum.tp-link.com/showthread.php?99025-How-to-configure-Multiple-SSIDs-with-Multiple-VLANs-on-CAP-amp-AC-products does apply.

For simplicity let's assume that I have only one single CAP1750, and one AC50 (192.168.254.254/24).
I do have two dedicated routers, one used by the corporate LAN (router IP 192.168.10.1/24) and one intended for the guest network (router IP 192.168.20.1/24).
Everything is connected by a single PoE switch (D-Link GS1900, web smart, i.e. VLAN support but no routing or such).

On the AC50 I have created two SSIDs, with the AC's global DHCP Server option set to "CAP only", since I'd like the clients to use their respective router's DHCP server.
The CAP does get its IP from the AC in the 192.168.254.x/24 range.

Now how would I go about directing/limiting traffic from the guest SSID/clients to the guest router and from the corporate SSID/clients to the corporate router?

Thanks for your time, let me know if further information is needed.