Client isolation while roaming across multiple AP's (using same IP)

@Gruntruck

You actually have two possibilities to isolate clients from each other on multiple access points:

A: Put every access point into it's own vlan and enable client isolation on them. You either have to live with different subnets then or use a dhcp relay instead to keep one address range for all your access points. In this case you can use iptables to prevent the clients from talking to each other as the traffic between vlans gets routed.

B: Keep one single vlan for your guest network/all access points and again enable client isolation on them. The problem here is that traffic between two clients is switched and iptables aren't helping to isolate your clients. Ebtables and a bridge can achieve that: https://forum.openwrt.org/t/client-isolation/13914/31

Perfect for this scenario would be something like "private vlans": https://learningnetwork.cisco.com/docs/DOC-16110 but unfortunately it is not available on OpenWrt.