@zEnterHacker 

Waoo!!  ...  I have done some more digging.

If I enable an EasyMeshed Guest Network (You need to enable Traffic Separation for this!) and then connect to this guest network ensuring you are close enough to connect to the master AP - then the guest network is working. I get an IP lease from my external DHCP server and I can connect to the WAN and everything on my LAN despite the Traffic Separation :@)

Then - using a notebook - i start a constant successful ping (-t) of my master AP before moving towards the satellite  AP. When the radio signal from the satellite AP is strong enough to trigger a connection change from master to satellite - THE PING RESPONSES STOPS. Going back into the range of the master AP brings back successful ping responses. This is consistent on two identical EasyMeshed router pairs that I have, and I cannot find any settings that can enable guest network packets from the satellite to be routed back to the master and further on to the LAN/WAN networks.

In other words the propagated guest network of an EasyMeshed satellite AP simply does not work!

Go to master AP / Advanced / EasyMesh - scroll down to Mesh Device Details, click Modify on the master and click the (?) for the  Traffic Separation to get the guidance text: 

When enabled, the Guest Network settings of the main router can be synchronized with those of satellite devices.
It can also separate the traffic of the host network and guest network, ensuring the security of your home network.

What is the point of synchronizing master guest network settings with a satellite if the satelite simply discards all the network data on this guest network?
(Remember: This setting is only available under Advanced EasyMesh and quite clearly indicates that it should work like one range extended (meshed) guest network.
Did the SW guys forget to test this in Access Point mode?

IMHO this calls for a firmware update!!!

And by the way - how is traffic separation supposed to work in Access Point mode where packets must travel from the AP to a default gateway - most likely over a LAN segment?
(one way of doing this is to create a VLAN, but again this requires a VLAN compatible LAN switch sytem in order to be safe....and might not suit a home network environment)

Redards

zEnterHacker

  @terziyski 

Yes but I have given up on trusting TP-Link guest isolation completely, and I just wanted use the guest network to create two designated 2.4GHz and one 5.0GHz SSIDs in order to have more control over clients that I want to force on a given radio frequency while maintaining a general combined 2.4/5GHz SSID - but that is not the issue here.

This is how I made a real isolated EasyMeshed guest network using a designated DMZ ethernet port on my firewall:

(Downside is that you need 4 AX55s running two almost identical EasyMeshed WiFi networks: One for the LAN segment and one for an isolated DMZ zone where the Firewall only allowes access to the WAN):

                                              WAN
                                                  |
DMZ1 -------- Firewall / LAN DHCP / Default Gateway -------- DMZ2-------WAN Port MASTERguest

                                                  |                                                                                 |    |    |    |  4 port switch (DMZ2)

                                                  |                                                                                 |
                                                  |                                                                                 |
MASTER wan port -------- LAN-SWITCH -------- wan port SATELLITE                   WAN Port SATELLITEguest        
|   |   |   |                            |   |   |   |   |   |                              |   |   |   |                            |    |    |    |  4 port switch (DMZ2)

I guess if you want complete Guest Network isolation using only one pair of AX55s in EasyMeshed AP mode both AP should of course work and should also block WiFi clients from transmitting to & receiving from any IP addresses in the local network scope of the APs except the defined default gateway of the APs (the Firewall). I'm not a certified network specialist - so I might not be correct about this since there is also UDP to cope with...

I still think it is strange/unprofessional to implement something (EasyMeshed Guest Network) and then just let the end users find out - after endless burn and tries - that this thing simply does not work in AP mode - I mean this is really not a serious solution!

I also do not understand why you cannot turn on the IOT network directly through the WebGUI on a SATELLITE AP since this is simply not part the EasyMeshed standard network - You can turn IOT network on for the MASTER but it is not propagated to the SATELLITE via EasyMesh.

Regards

zEnterHacker