Unifi has "L2 Isolation" you can specify on the WIFI and "device isolation" you can specify on the VLAN. Device isolation has options for "allowed access" and "restricted access". At present I only have L2 isolation on.
L2 isolation just means that there's no L3 routing taking place on the Unifi device itself, however, clearly, you have L2 routing happening if devices on different subnets are able to communicate with each other, which means it is probably happening at the firewall where the VLAN's terminate.
The Unifi support person is looking into the "Device isolation". I believe "Device isolation" with nothing specified for allowed or restricted does nothing. The support person seems to think it does but cannot fully explain it.
Device isolation on wireless is exactly what it sounds like. Devices aren't allowed to communicate with each other, even if they are on the same subnet. This is useful for hotels, public hotspots and other places of hospitality where you don't want the security risk of random devices being able to see each other.
I need to also setup Device isolation to protect the LAN which is the network where all my switches and access points are in. No PCs need to get to it.
That's usually what we'd call a management subnet or management VLAN. With your current L2 inter-VLAN routing happening you'll want to make sure you put in some explicit firewall rules that block traffic from any of the other VLAN's from getting to that VLAN and vice-versa.
An example of how you'd configure this would be as follows:
Firewall:
VLAN1 10.0.0.1 (untagged, management) 10.0.0.0/24
VLAN2 172.21.50.1 (tagged, Kids WiFi) 172.21.50.0/24
VLAN3 172.21.60.1 (tagged, Grandparents WiFi) 172.21.60.0/24
VLAN4 172.21.70.1 (tagged, Public WiFi) 172.21.70.0/24
Switch: 10.0.0.2
If L3, disable inter-VLAN routing or setup rules to block routing between the VLAN's you don't want to communicate with each other, for example, based on your OP:
Block any any 10.0.0.0/24 172.21.50.0/24
Block any any 10.0.0.0/24 172.21.60.0/24
Block any any 10.0.0.0.24 172.21.70.0/24
Block any any 172.21.50.0/24 10.0.0.0/24
Block any any 172.21.60.0/24 10.0.0.0/24
Block any any 172.21.70.0/24 10.0.0.0/24
If L2 only, you don't need to worry about it.
You'd use the same rules on the firewall if you wanted to block the management VLAN from accessing the low security VLAN's and vice-versa. This allows you to access devices by IP on the different subnet (like your printer for example) while keeping them from "discovering" devices on each of those networks. If you had one of those groups that you wanted to isolate in the same way as your management VLAN, you'd just create similar rules for it.
Your switch ports connected to the AP's would be trunked. The AP's themselves would be in VLAN1, but the SSID's you broadcast are in VLAN2, 3, 4
So in the above scenario, only your devices are on VLAN1, everything else is on one of the other VLAN's, the management VLAN can't get to the other VLAN's and they can't get to it, there's no wireless SSID associated with the management VLAN and clients on the low security VLAN's are able to access devices by IP address on the other VLAN's.
If you wanted to break it up further, we often put printers on their own VLAN, so you'd have a printing VLAN, each of your low security VLAN's would have access to the printer VLAN, but not each other.
