I'm having a hard time trying to get this working and some behavior that I cannot figure out anymore lol, so looking for help now.

I have 3 VLANs = default, guest and IoT.

I want to block from IoT to default and guest, but allow default to be able to access IoT.

I want default to be able to AirPlay to IoT.

So, as of now, I was able to get Block IoT to the 2 others and AirPlay, but I can't make that default to IoT working.

My setup is:

Router = Omada ER707-M2 Latest Firmware

EAP = 660 HD v2 latest firmware

Switch = Netgear (not omada/tp-link)

Linux Software Controller latest version

I have a firewall rule under EAP. First rule is to allow AirPlay and Second rule is to block IoT. mDNS is enabled, so with this I can do AirPlay, IoT can't access, but I can't access from default to IoT:

If I disable the second rule above, and go to Gateway ACL and enable the below rule, I can Block IoT to default and guest and I can ping from default to IoT, but AirPlay does not work:

So, why do I need to deal with that Gateway ACL? Because I don't have an Omada switch to manage the rules? Why doesn't the EAP ACL work as expected? Interesting that I have "block/deny" rules and when I enable them, things start to wok, lol - isn't that weird? what am I missing here? Of course I can't create the same AirPlay rule in the Gateway ACL since it does not allow me to do IP and Ports.

This is my routing table just in case