My Omada setup contains only EAPs. Router and switch is from different vendors. I'm running software controller 6.0.0.23.

I have a separate VLAN for guests and configured the EAPs to have a guest SSID with the guest network option enabled. The EAP blocks all traffic from that SSID to RFC 1918 addresses and I know that I can whitelist a particular IP address using EAP ACLs.

But my concern is IPv6. My ISP assigns a dynamic prefix that changes from time to time. The guest network devices can communicate with each other using their (public) IPv6 addresses since the traffic does not go through the router where the firewall could block it, the EAP sends it directly from one client to the other without involving the wired port. I cannot achieve it with an EAP ACL since the IPv6 prefix of the guest network changes from time to time.

I would need an EAP ACL where I can select source and destination both the guest SSID, but an SSID is not available as destination type right now. My switch already has a rule to force guest traffic to the router and there it gets firewalled appropriately, so there is no issue that traffic originating the guest SSID might leave the EAP through its wired port and reaches it back there, bypassing the fictional EAP ACL I described, or reaching a different EAP. My setup already blocks communication between guests on different EAPs, but guests on the same EAP can still communicate since there the switch is not involved on the communication path.

I do not want to involve any layer 3 addresses (dynamic IPv6 prefix) or layer 2 addresses (cannot simply block traffic to broadcast mac addresses, need to make sure that ndp/arp/dhcp can go from guest SSID to router but not to other guest devices).

Right now the only "solution" seems to be to disable IPv6 on the guest vlan, which obviously is not what I want to do.

Please help what I can do instead or implement an AP isolation feature that works independent from layer 3 addresses.