If you have enabled Full Client Isolation on a WLAN, the Restricted Subnet (ACL) gets automatically applied on this WLAN and blocks access to all internal network devices, if you would like to allow access to certain devices like printer's you have to configure the Restricted Subnet available under Configure > Guest Access > Restricted Subnet. Here you will have to enter the IP address of the device you want user's to have access with a subnet of /32. For example if the IP address of the printer is 192.168.15.65, to give access you will have to enter 192.168.15.65/32 , this implies that all host bits need to match to allow access .
My question is similar to Wililiam's and has to do with client isolation. I have created a handful of VLANs for our guests and I would like to isolate them from the rest of the network. DHCP is setup on our AD server, and that is where all of the staff VLANs get their IP addresses. If I don't isolate the guest network(s), everything works fine. If I do full isolation, I get a correct IP and gateway, but I can't reach the internet at all. I'm assuming it is because I can't reach the AD server which is the DHCP/DNS server. Would creating an ACL allowing traffic to/from the AD server fix the issue?