I rent out part of my house with internet access included. I wish to separate tenant traffic from the rest of the network, but still sending it through to internet. They should still be able to have connections between their devices, both wired and wireless.

Current setup is 1 EAP615-wall(EU) V1.0, firmware 1.1.0, which broadcasts tenant wifi and gives them wired ports. This is connected to an ER7212PC v1.0, firmware 1.0.3, which also all mine devices are connected to (two other 615 for wifi and one wired client, rest is wired directly to 7212).

I have tried to assign a VLAN to the port on the 7121 that the tenant 615 is connected to, following this guide: https://www.tp-link.com/us/support/faq/3091/ . However, as I experienced (and the guide noted, I later saw) assigning a VLAN to a port that goes directly to an EAP for some reason does not allow clients connecting to that EAP to get an IP adress.

Is there any way I can accomplish what I want with my current setup? If not, can something like the TL-SG105PE 5 port PoE switch allow some form of workaround?

As this is a home setup, and I bought this kind of hardware because I didn't find regular consumer solutions that allowed this kind of separation without getting into custom firmware and such shenanigans, I do not have the budget to buy one of the pricier JetStream switches, nor do I have anywhere close to the need for one.

I am making a separate post with a question about the firmware on my 615s.