Client isolation

Will go the ebtables way then.
Thank you very much for your time answering this.

I ended up using the following. I have one router (router mode with guest AP) and another router (access point mode with guest AP) in my house. I want to disable any guest inter-bridge communication (on the same device and inter-device - don't forget to also use the isolate 1 in your wireless config to enable AP isolation for the guest iface).

On router, because we want only inter-bridge communications to be blocked (we want WAN communication to be accepted for guests) we use the following command :
ebtables -I FORWARD --logical-in br-guest --logical-out br-guest -j DROP

If you only have one router and no APs you are good to go.
On AP, because we want to allow DHCP and Layer2 communications to router (which is the DHCP/DNS server) but block any other inter-bridge communication we use the following commands (where 01:23:45:67:89:01 is the router's MAC address on br-guest bridge) :

ebtables -I FORWARD --logical-in br-guest --logical-out br-guest -j DROP
ebtables -I FORWARD --logical-in br-guest -d 01:23:45:67:89:01 -j ACCEPT
ebtables -I FORWARD --logical-in br-guest -s 01:23:45:67:89:01 -j ACCEPT
ebtables -I FORWARD --logical-in br-guest -d Broadcast -j ACCEPT

You have to accept Broadcast because DHCP relies on it to find the DHCP server (which is router in our case). Other broadcast traffic shouldn't work as the reply to the broadcast is normally a unicast and that traffic will be accepted only if the source is the router.
I tested it and it seems to work as intended.
You will also have to install the ebtables package for this to work.

If someone has a better solution I am all ears :slight_smile: