Help with discriminating wifi AP traffic please

Hi Fordem, Further to your advice I have set the following: M4100 Port 1 member Vlan 100, Vlan ID set to 100 tagging set 'T' This is connected to firewall router port 2 which has DHCP server giving addresses on Office subnet and vlan set to 100. M4100 Port 2 member Vlan 100, Vlan ID set 100 tagging set to 'U' This is not connected at present. M4100 Port 3 member Vlan 100, Vlan ID set to 100, tagging set 'U' This is connected to Office hub switch uplink M4100 Port 4 Member Vlan 100 and 300, Vlan ID set to 100, tagging set 'T' This is connected to wifi AP which has 2 SSIDs, one with Vlan 100 and second with Vlan 300. With this configuration I can log on to the Office SSID and receive an IP address and access wan. (Not surprisingly I cannot yet get an address if I log on to Guests SSID) I can ping from machine logged on to AP to machine on office subnet and vice versa. I cannot make a connection to the Guests SSID because I cannot yet get an IP address. At present I can ping machines on Guests subnet from Office subnet but this is because there is a route through the firewall for admin at present. If I filter this traffic out at firewall then there is no access between Office and Guests subnets. I have tried changing 'T' to 'U' on Port 1 but then connection fails. M4100 Port 6 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to firewall router port 3 which has DHCP server giving addresses on Guests subnet and valn set to 300. M4100 Port 7 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to another outdoor wifi AP which has 2 SSIDs set as above. This AP works as above but having tried it I have had to take down for now and restore simple access just for Guests. Please forgive lengthy message but am at bottom end of learning curve. Looking forward to next advice. Regards, Budgie2