I have a TP-Link Deco X55 Pro Mesh home Wifi, and it offers an isloated Guest Wifi network. There is a single DHCP pool for both the main and guest networks, so the DNS servers set in DHCP have to be reachable from both the main and guest networks. If I simply connect the Pi to my main network, and set DHCP to use its IP as primary and 1.1.1.1 as secondary, then I have to go and disable all the secure DNS settings in Chrome and Firefox and Android or they all ignore my local Pi DNS and use 1.1.1.1. The guest network is wifi only, so I configured the Pi’s wpa_supplicant to connect to the guest wifi SSID. The wlan is connected, but it’s only reachable from devices on the main network (which it should not be), and not by other devices on the guest network (which it should be). All devices on the main network can reach the wired lan interface just fine, as the should.

I’m a bit confused about the state of wlan configuration though:

baron@pi-1:~ $ sudo wpa_cli status verbose
Selected interface 'p2p-dev-wlan0'
wpa_state=DISCONNECTED
p2p_device_address=da:3a:dd:c3:02:e0
address=da:3a:dd:c3:02:e0
uuid=ec1c452b-43b7-5991-b133-24ebb761a051
baron@pi-1:~ $ ifconfig wlan0
wlan0: flags=4163  mtu 1500
        inet 192.168.68.76  netmask 255.255.252.0  broadcast 192.168.71.255
        inet6 fe80::27a:d770:dd35:568f  prefixlen 64  scopeid 0x20
        ether d8:3a:dd:c3:02:e0  txqueuelen 1000  (Ethernet)
        RX packets 138327  bytes 10181404 (9.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1782  bytes 310865 (303.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

So even though my /etc/wpa_supplicant/wpa_supplicant.conf only has the SSID and PSK for the guest network, I can’t actually confirm it via wpa_cli.