Thank you for the questions and tips.
*Solution* I was using a non-VLAN-aware router/modem combo provided by ISP. Added a VLAN-aware router (TL-R470t+) to network and had ISP set their modem/router to bridge mode so I can use my own router's functionality.
All VLANS are TAGGED on ports connecting network infrastructure (Router-Switch, Switch-Switch, Switch-EAP) and each client port is set to the PVID of its client's VLAN. VLANS are isolated as expected.
My wifi devices can connect to the EAP 225, but enabling VLANs on the wirelss networks in Omada software controller causes the devices to lose internet connection. This defeats the whole purpose of segmenting my network to separate home automation/media devices from my other VLANs.
Here is the network infrastructure:
EAP225(US) v3.0 firmware 2.20.1, previously 2.5.1
T1600G-28PS v3.0 firmware 3.0.6, previously 3.0.5
T1500G-8T v2.0 firmware 2.0.6, previously 2.0.5
Omada Software Controller v4.1.5, useable with current firmware, not previously
Hitron router supplied by ISP (Shaw)
This is my configuration, I had no problems with it before the firmware upgrade:
T1600 is the backbone, in between the T1500, EAP, and router. Omada is on a laptop connected to the T1500.
VLANs 1 (default), 2 (guest), 3 (automation and media), 4 (gaming), 5 (internet) - I had to have a separate 'internet' VLAN to add to ports to allow them internet access.
Switch-to-switch port profile is the default 'All' profile (PVID 1, all VLANs tagged)
T1600-to-Router port profile is PVID 5, all VLANs untagged
Ports for client devices have the PVID x, with VLAN x and 5 untagged. So, my omada laptop, NAS, virtual machine on the NAS, and printer are on VLAN 1, have PVID 1 with 1 and 5 untagged. This allows them to access one another as well as internet. Ports for guest devices are on VLAN 2 so have PVID 2 with 2 and 5 tagged, etc.
Ethernet devices are all functioning properly. They have internet access and are segmented between VLANs.
***This last part is my stumbling block.
T1600-to-EAP225 port profile has PVID 1 with 1,2,3,5 untagged (no wifi access required for VLAN 4). It seems I have tried every permutation but nothing seems to allow me to have SSIDs with enables VLANs that also connect to internet.
The EAP had no problem separating SSIDs into VLANs with firware 2.5.1. Now that it is using 2.20.1 and Omada, wifi devices can connect to the EAP, but can only access internet through the EAP if VLANs are disabled.
I would be interested to hear some advice on how to set the port profiles, thank you.