@DannyZ 

ACL should not be "deny all". There is an option "all network/IP" which includes 0.0.0.0/0.0.0.0. If you deny this, you'll be losing all the connection.

You can set Deny VLAN 99 to VLAN 1 and 44. Don't make it deny everything. 

What other devices do you use in this network? If you are talking about VLAN 4 and 99 is not working, do you set up multi-SSID right? 

https://www.tp-link.com/us/support/faq/3091/

  @John1234 

Sorry, I should have been clearer on the ACLs I set. I did set the rules to apply to each specific "network" exactly as described in the link you sent. I did not use any "IP" restrictions in the ACL entries. 
 

So traffic from network "vlan99" (guest) is denied to network "vlan1" (primary network). "All" protocols are denied which is consistent with the link you sent. 
 

To me this makes common sense and matches the FAQ scenario provided by TP-Link as well as your feedback but still does not allow vlan99 to connect to the internet. 
 

The gateway/router is on vlan1. Could that have anything to do with this issue?  Do I need to create some sort of static route to the internet since the guest network may not be able to communicate?

  @DannyZ 

If you got the VLAN right but still cannot get INTERNET. I think it has something to do with your VLAN. How do you set the VLAN(to port) profile on your switch? 

Do you just get a computer connected to the port and get a matching VLAN or? 

So, since you mention IOT, it's more like WiFi AP. Right? For AP, you don't have to set anything or modify any ports on the switch. Instead, you just go and set up your WLAN and make that SSID match with the VLAN ID. Will this work for you? When I do my VLAN for WiFi, I don't set anything because the Omada can do a lot for you on its own. You just pay attention to the WLAN part. 

If you intend to use a device(like a switch) to the Omada router/switch, you need to set the port profile on the switch. If you want to make it a trunk port, you set the profile to "All". If you want a dedicated VLAN for a specific port, you use a certain VLAN profile for the port. 

There is no need to use any static routing. First, check your IP, do you get IPs from the VLAN 4 and 99? I think it's more like an issue with the VLAN interface instead of ACL.

PS

What is the version of your controller and ER7206? Are they up to date? I think you first need to make sure the configs are right before setting up the ACL.