Hello I'm struggling a bit setting some ACL on the EAP245 via Omada (OC200).

I have 2 SSID, one called IOT and the other PRIVATE, they are in 2 separate VLAN (router is TL-R605 and switch TL-SG2428P at which the EAP is connected).

IOT devices, like for example Google Home, is connected to IOT WiFi.

Phone is connected to PRIVATE WiFi.

I wanted to create a rule where IOT Network can't talk with another network, in this example with PRIVATE WiFi.

What I have done was simply to go in Settings->Network Security->EAP ACL and create a simple ACL that Deny ALL protocols from Source (Network) IOT to Destination (Network) PRIVATE.

It actually works in the sense that if from the Phone I ping Google Home device, the ping fails.

But the issue is that if I open the Google Home App from the phone I can still continue to communicate with Google Home (of course Bluetooth is disabled).

Any idea why this happens ? I also tried to make a similar rule but using IP addresses, so for example to deny Google Home IP to PRIVATE Network or to deny Google Home IP to Phone IP. But the results is always the same, every rule works in the way that I cannot ping anymore but I still can communicate using the App that in other words means that the traffic is not blocked.

Then I have another couple of questions:

1) if I want a specific client to be able to communicate only with certain clients what I have to do ?

2) if I want a specific client NOT be able to access internet but maybe able to talk with some other internal network or specific client what I have to do ?

Thanks