@doremifajb 

Thank you for your reply ! Somehow I overlooked your posting for a long time. Only now I found it.

I installed Omada controller v4.4.6 on win8.1 on Virtualbox. Now I see that client isolation is not available independently of enabling guest network. However I don't see any category where you can prescribe exactly what the guests are allowed to do. All I need is client isolation, nothing else, I do need the clients to have access to the router, so I don't want Omada to block any traffic.  I see "portal" and "access control", but it seems it's not where the guest network parameters are set.

I heard that earlier Omada Controller did have client isolation option independent of guest network. Perhaps I should downgrade the Controller ? Or is there any way to set only client isolation using ssh to each AP? (however the isolation should be effective across all the APs under the same SSID.)

@Virgo 

Now I think I figured it out, but please correct me if I'm wrong:

My setting& goal:

I have SSID:guests, subnet 192.168.2.1/24, vlan11. All what they are supposed to do/not to do are set in firewall on my OpenWRT router, as long as the traffic goes through the router. I have a captive portal on the router which also controls bandwidth of the users.

The only thing the router can't do: to block clients of this subnet talking to each other, i.e. client/L2 isolation. So that's what I need APs to do. 

I did NOT activate the guest network.

What I did:

Network Security->ACL:

Rule 1="portal", permit, protocol: all, Source: SSID:guests, destination: IP group "router" 192.168.2.1/32

Rule 2="block access", Deny, protocol: all, Source: SSID:guests, destination: IP group "guests" 192.168.2.1/24

Portal on my router did work, and I got another device to be on the net, ran Angry IP scanner, the IP of this device is not there. So it seems it did what I wanted. Only, I just have one AP now (ordered for testing: I should be getting 10), so I haven't tested yet if communications between clients on different APs would be also blocked. But as it looks like, it's supposed to work that way as well ?

Reference:

https://community.tp-link.com/en/business/forum/topic/159499?replyId=406110

I think the version of Omada Controller is different, ACL doesn't have an explicit description like in this posting.

I would appreciate your opinions and suggestions ! It would be still a lot easier if there is a simple click of "client isolation" or "L2 isolation", like Unifi, though....

@Virgo 

This page seems to be old: It is as of 11.Sept 2020, and the oldest Omada controller you can get from TP-Link is November 2020. In any case, mine is v.4.4.6 for Win (tried to install the newest one but didn't work on my Virtualbox win8.1 on Macbook Pro 2012), and it does not have configuration options that this FAQ uses, above all, SSID isolation.

However, as I was reading it, I see why TP-Link wanted to eliminate/modify this way of configuring client isolation: If clicking "SSID isolation" does not isolate clients connected to different APs, that's against the expectation of the most people: clicking of "xyz isolation" (whatever each manufacturer wants to call it) should isolate all the wireless clients under the same SSID, no matter where they are connected. And "Access control Rule", as this page describes, also gives an impression that it should also work when two devices are connected to the same AP. But it doesn't. So it was rather badly designed.

So in all, I see why they had to reorganize the options regarding the client isolation. And as it seems that putting pretty much the same thing under Network Security->ACL as this page is doing under Wireless Control->Access Control->Add Access Control Rule works for the devices connected to the same AP as well, it seems to be a good solution: you configure something, and it works as you expect. And it is better than offering a simple click for SSID isolation to isolate all, because it offers configurability as to the exceptions you want to make right there. If you know how to deal with firewall, you can do it. If you don't, you click "guest network", which works for most people.

The only thing missing here is a properly updated tutorial.

I'm still hoping that someone could comment on my configuration on ACL, though... I do deal with firewall but still a beginner :)