NBN / ISP modem - dedicated IP

ER605 v1.0 - Firmware v 1.3.1

OC200 v2.0 - Firmware v 2.9.3 - Controller v 5.9.32

TL-SG3428 v2.0 - Firmware v 2.0.10

EAP610(US) v1.0 - Firmware v 1.0.4
EAP610v3 

TL-SG108PE - Firmware unsure not in Omada 

Basic implementation 

Wizz, Arlec, Tyua, and Shelly Devices behind light and power switches, connected to AP on 2.5ghz IOT SSID

Mobile Phones / Tablets / laptops on 5ghz home ssid

TL-SG3428

TVs, Fibaro Home Centre 3, EAP610 via injector, TL-SG108PE, Proxmox and TrueNAS Scale.
2 x Sungrow inverters via LAN

Proxmox running Home Assistant (mariaDB & Influx db) llms, development environments, AI LLMs and AI applications, local wordress env, VMs with Automotive diagnostic softwares  

TL-SG108PE

Laser 2D printer, SLA 3D printer. 

I have been experiencing consistent dropout notifications of the OC200 via app, System is kicking all Android devices off the APs within a minute or two of connection and attempts to consume data. Also having issues updating both Debian 11, 12 and Ubuntu 20 via apt update with cli respose that my connection isnt secure therefor connection is rejected. 

As per the last time I rasied an issue with ER605 firmware ISP is saying that they are seeing multiple MAC addresses attempting to connect this time we have 9 different MAC addresses, when you search Omada these MAC addresses do not exist, when you use FING the MAC addresses do exist and have associated IP addresses which also do not exist within Omada. If I try to connect to the IP address, I can confirm they are my devices, they are on my either my LAN or WLAN.

So not only is it frustrating that my ISP and Others can view my MAC addresses its frstrating that Omada cant even keep track of the network accurately. For an "Enterprise Solution set" is very strange that there are consistent issues with TP-Link hardware and sofware.  The ISP should only see one MAC address, the ER605 router. 

The question is, why is my ISP able to see these other MAC addresses through my WAN port?  It's almost like these are being presented as if they were connected to a switch or something.  I do not think they are able to see my whole network, as it is only a handful of addresses.  At most, I would have expected the device/default MAC and then maybe the MAC for the interface.

Any ideas on how to block this from happening?  The issue as per last time seems to resolve itself with a prolonged network shutdown and reboot. 

ISP only allows one MAC address to connect to network.  ER605 appears to be presenting all device MAC addresses (possibly also virtual as well). The only nework issue the ISP can report is some loopback issues between my NBN Modem and the exchange which at this point are unable to explain. 

Sidenote - TCP no flag issue improved last Firmware update - Not resolved