So is the AP a different device from the one we're looking at now (in terms of the configuration)?
They probably shouldn't be configured identically unless they are true dumb APs (no DHCP, no routing, no firewalls).
I think it would be a good idea for you to draw a network diagram so that we can better understand your topology. Make it clear in your diagram what each device does, along with the brand+model of each device and the firmware that each thing is running. Also include the IP addresses of each device and VLAN information for where it is relevant. A photo of a sketch on paper is sufficient for this purposes
Here is the topology. All hosts are connected by wifi either through SSID1 or SSID2, with assigned IPs as described earlier (192.168.1.xx net mask 255.255.255.0 for SSID1, 192.168.2.xx net mask 255.255.255.0 for SSID2). All hosts can reach internet regardless of SSID used since I added 192.168.2.1 to the AdGuard config. All hosts on SSID1 can talk to each other, but no host on SSID2 can talk to each other.
I forgot to add to the drawing that device eth1.2 is type 802.1q.
So according to your diagram, your WiFi is being handled by the tp-link devices with the vendor firmware. This means that there may be a configuration item in those devices that is relevant (such as WiFi client isolation) but I cannot point you to where that may be in the settings.
Also, you should not be using an unmanaged switch when working with VLANs. This can cause problems, depending on the implementation of the switch (the behavior of tagged frames through an unmanaged switch is undefined).
Finally, unplug one of the APs so that you can fully guarantee that all clients are connected to the same ap, then test to see if they can reach each other.
Well that will teach me a lesson. I thought I had double-checked the AP settings, but "guest mode" was indeed checked, which I think is client isolation. It would seem everything now works as expected.
