I have an EAP615-Wall using Omada and I want to add an ACL to deny wifi client Phone1 from connecting to wifi client Phone2 on port 8111. Other connections are permitted.

So I make an EAP ACL to deny source Phone1 and destination Phone2 port 8111.

This doesn't work. The connection is actually permitted. I suspect the problem is this issue and that "doesn't work" is expected behavior.

Is there a work-around?

"Guest network" isn't useful since I want to allow other connections. My best thought is to put Phone1 and Phone2 on different VLANs and route all the permitted connections but that's both inefficient and cumbersome.