It might be worth checking how things are actually set in sysfs.
As I understand things, there are 3 "isolation" settings... first there is an internal
hostapd setting (ap_isolate=1), which should nowadays always be set on. This
prevents hostapd from forwarding between wifi clients internally. Instead what it does
is forward all the traffic to the br- interface and let that decide what to do with it, so that
multicast-to-unicast transforms may be performed to increase common-case
performance... and for security reasons.
The second setting is the per-port hairpinning mode. This is usually set to off
on wired or WDS ports and on on client wlan ports. If it is set to off on the client
WLAN ports, clients will not be allowed to talk to each other. This is usually what
you are setting (nowadays) when you ask for client isolation in /etc/config/wireless.
Finally there is the virtual interface isolate mode which is more aimed towards
containers/vms but can be used as a paranoia switch to prevent traffic from
ever crossing between different bridges. Or something like that.
And in addition to this, there is the multicast to unicast setting which should
usualy be on, unless you actually have managed to herd more than a handlful
of clients who are all interested in the same multcast stream onto the same
AP, which is rare and about the only case where sending multicasts out as
RF multicasts is actually more efficient than just sending each client its own
unicast copy.
I don't have this problem. This is what my relevant sysfs nodes say:
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_wlan0ssid2/brport/hairpin_mode
1
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_eth0.2/brport/hairpin_mode
0
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_wlan0ssid2/brport/multicast_to_unicast
1
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_eth0.2/brport/multicast_to_unicast
0
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_wlan0ssid2/brport/isolate_mode
0
root@UUPMAP11:~# cat /sys/devices/virtual/net/br-vlan2/lower_eth0.2/brport/isolate_mode
0
I don't know how to check the actual state of the internal hostapd setting, but you should
see ap_isolate=1 always in /var/run/hostapd-phy* on all SSIDs unless you are doing something unusual,
even if you did not specify isolate in /etc/config/wireless. As noted above, selecting isolate should
change the value of the hairpin settings from 1 to 0.
(caveat: I'm testing ebtables-dhcpsnooping, so I also have some ebtables rules in the mix.)