MAC address filtering not working through range extender
Solution 1:
MAC filtering is a completely inadequate method for increasing network security. Anyone can spoof any used address, MAC addresses are never encrypted. You need to use WPA2.
The router sees the MAC address of the extender, not the one of the client. So, if you allow the extender's MAC you allow everything connecting through it.
edit: If the MAC filter needs to work through the extender you'll need to filter the MAC on the extender.
PS: have you read this? Apparently, TP-Link has some specialties on their extenders.
Solution 2:
You must configure the MAC filter on each access point, when an access point forward packet from the client to another access point, the next access point only sees the forwarder's MAC.