@Seensent Sounds like ACLs should meet your needs. Assign a static IP to each of those devices, then set up ACL rules for that specific IP to only communicate with the internet, and deny traffic to other devices in that LAN. 

  @NeilR_M Thanks, that is exactly what I had in mind (or MAC address) but I can't find where to do that?

If i go to Settings and ACL (under Network Security) I can only select "Network" as my source type if choosing LAN<->LAN. 

  @GRL 

I plan to add a PoE Switch downstream (TL-SG105PE) - I know it won't be in Omada but will that make any difference?

How would I setup control for these devices to isolate given this network topology?

Building A and B share one ER605 and are linked.
( BUILDING A)                                                             (BUILDING B)

  ER605 ----------------> Single Cat5e Link --------------> 3rd Party Managed Switch

       | (single link)                                                                         | (single link)

TL-SG105PE                                                                      TL-SG105PE

      |                                                                                             |

Device to isolate (1 of 3 devices on this switch)           Device to isolate (1 of 3 devices on this switch)

Building C has one ER605 and is standalone

( BUILDING C)                                               

  ER605

       | (single link)                                           

TL-SG105PE                                                 

      |                                                               

Device to isolate (1 of 3 devices on this switch)

  @Ethan-TP 

Would the gateway ACLs work even with data coming through 2 other switches? I've read data gets tagged, since I have a link that has 20 or so devices all coming down it, can I tag via MAC address?

  @Seensent 

If you are not using switch routing anywhere, and the router is acting as the gateway for all lan clients (most likely) then yes, gateway ACLs still work regardless of how the data gets to it

I have this setup in the most simple way to try and get it working and I can't.

ER605 - LAN4 is connected to a dumb switch with 2 devices on it. I want one device to be 192.168.15.8 and the other to be in the default DHCP range lets say 192.168.0.15.

I want both to be able to access the internet but neither to be able to communicate to the other on the network.

Under "Create New LAN" under "Wired & Wireless Networks -> LAN"  I have tried with Purpose as "Interface" set to LAN4 and also tried "VLAN" and no matter what, I can't get the device to move to 192.168.15.8. Even if i set IP of the device and select "VLAN15" as the network and set it to 192.168.15.8 it ignores the command and stays on the 192.168.0.xxx network.

Is there no way to force a MAC to a seperate Vlan? I won't be able to separate the single device to a single port on the router.

It doesnt even need to be VLANs, is there anyway to stop LAN-LAN traffice between two devices?

  @Seensent 

Unless you change that unmanaged switch for a managed one, no

Since its connected to the same port on the router, and the switch isnt vlan aware, the switch will always jsut directly L2 Frame Forward between the two devices because thats what a dumb switch does.  The only remaining possibility is if one of the devices allows you to set the 802.1Q vlan tag on the device itself then you can trunk the two vlans one tagged one untagged into the unmanaged switch.

The only other way is with a managed switch, vlans and/or switch ACLs