dggro wrote
If I do turn on SSID isolation, "Guest" devices can not access my private devices using "FirstWiFi" - so far so good. But becuase of SSIS isolation they also can not see each other WITHIN "Guest", and therefore can not use the printer.
Client Isolation is a setting in the WiFi chip, so it affects all clients inside the same SSID. If you enable Client Isolation (sometimes called SSID Isolation despite the fact that it isolates clients, not SSIDs) it always will affect all client devices in this SSID.
In case of Omada or EAP controller it will also deny access to clients in other SSIDs on the same radio and even to wired clients in the RFC1918 Private IP space, which IMO is wrong (tested with EAP Controller V2.7.0 as well as with Omada Controller V3.0.2, which both had a separate Client Isolation setting).
In order to grant access to a wireless printer, you have to create an ACL allowing access to your printer and you need to move the printer into the private network (SSID: FirstWiFi). For example, if your printer has IP 192.168.1.10, modify the default ACL in EAP Controller V2.7.0 or create a new ACL in newer versions of Omada Controller:
Remember to bind the ACL to the guest network:
Note 1: You cannot use an Allow ACL to allow access to your printer, because an Allow ACL will allow access only to the given network(s)/device(s), so your guests would end up having no access to the Internet anymore. When creating Allow ACLs, the default policy (the last resort) will become Deny resp. Block.
Note 2: the printer must be located in the first (non-guest) network FirstWiFi if connected wirelessly. Access to devices inside the guest network is still denied even if you set the above ACL allowing access to the printer's IP address – and yes, that's the way Client Isolation is supposed to work, because Client Isolation is an on/off toggle in the WiFi chip, not an ACL.
However, IMO it should leave it up to the user to define a policy such as allowing or denying access to other SSIDs and/or to other wired networks. With the ACL above you gain control back over this policy decision.
If you want to set up a fully isolated guest network with routing/forwarding to resources such as shared printers/servers in a separate wired or wireless network, see this HowTo (scroll down to Method 2).