Client isolation except whitelist IPs
You probably can't do it the isolation on the "router" instead, as hosts in the same subnet isn't normally supposed to be communicate via a router (more precisely, a gateway) (but "directly" on layer 2 by finding out the destination MAC with ARP, i.e. through switching but not routing). So to achieve what you want, you either need a more advanced switch (AP), or force routing (and leave client isolation enabled).
With that said, to force routing within a (W)LAN is quite a nasty thing to do (and could be a bit hard to deploy), also it may not work for certain stuff.
To force routing, you need to either:
- assign an address to each of the clients with a
/32
prefix (or subnet mask of255.255.255.255
), with the "router" address as thepeer
. Basically that means to set up a point-to-point link to the "router" and eliminate the idea of subnet/LAN on the IP level. Now your default route wouldn't explicitly have the router as gateway, for the record. This approach is probably the "proper way". - Remove the subnet route (or add host route for each other with the router as gateway) on each of the clients (which is normally added by the OS automatically), add a host route to the "router" if that hasn't been done.
Either of those would cause the clients to reach each other with the default route via the "router", which means you can then limit access with iptables.