[zamadatix]

In an enterprise setup you usually ALG those things and block BUM traffic except for things that register for a routed stream in which case you have the system convert multicast to unicast to that client (in transport, not destination). If those are not a checkbox on your gear of choice then you have to build it yourself as you did.

VLANs+Subnets play little role in the end on a Wi-Fi SSID. Clients get put in the same GTK and hear everything in the same BSSID. You don't want to go making BSSIDs per client either as that kills airtime. Most of the time you're better off with a flat wireless network with the above controls as it functions exactly the same as a divided network where you need the same controls anyways but now it's simpler. Different subnets per SSID (for when you need to support different authentication methods, not for when you need different services to co-exist) can make things simpler though.