It doesn't matter how the topology is forwarded..These ACL/Filter rules are applied to the guests role preventing the users from communicating with anybody on its subnet except the default gateway. Call our GTAC if you still need help after looking ...
https://gtacknowledge.extremenetworks.com/articles/Solution/Block-MU-to-MU-enabled-but-users-can-still-communicate
Have you read the above document? This is the way to block the users from talking to anybody except their default gateway.
A common overlooked issue is the controller does not have its default route populated so the AP know the way to the controller but the controller doesn't know the way back. Controller, Network,routing protocols.
If you have any 3600 series AP's such as AP3610 you must stay on the 9.21 track. The 9.21.20 is the latest release of that track. If you only have 3700,3800 and 3900 series AP's you can upgrade to our latest 10.41.10,or the soon to be available 10.41...
