Our home network consists of a TP-Link Archer C7 Wi-Fi router ("router") and a TL-WPA8630P Powerline Wi-Fi extender ("extender").
We use the guest network feature on the router to protect our main Wi-Fi network. This works very well. Clients connected to the router's guest network can access the internet, but cannot see other devices connected to the router.
Yesterday I added the extender to the network. I configured it using the WPS ("WiFi clone") method. Both main networks (2.4 GHz and 5 GHz) were replicated on the extender, but not the guest network. So I switched on the extenders guest network manually.
I noticed however that clients connected to the extender's guest network are not isolated from our main network. For example I can ssh into a Raspberry PI connected to the router from an Android phone connected to the guest network of the extender. It seems that the router has no way to distinguish clients connected to the extenders main networks from those connected to the extenders guest network. This of course defeats the purpose of a guest network.
The security settings for the extender's guest network are as follows:
Allow guests to see each other - unchecked
Do not allow guests to manage my network - checked
Automatic disable after - unchecked
(There are no other options.)
How can I extend the guest network so that guests connected to the extender are isolated from clients connected to the router?