diff --git a/README.md b/README.md
index bac668f73cbc631d81913e7fd1fe13c4a9848fdd..a411f6c31c5f4c00e3df919fc8652555b8fedb4e 100644
--- a/README.md
+++ b/README.md
@@ -884,15 +884,18 @@ available.
 Each backhaul STA can be assigned with a priority from its configuration:
 
 ```
-config radio
-	option device 'wl0'
+config bsta
+	option ifname 'wl0'
 	option band '5'
+	option device 'wl0'
 	option priority '0'
 
-config radio
-	option device 'wl1'
+config bsta
+	option ifname 'wl1'
 	option band '2'
-	option priority '1'
+	option device 'wl1'
+	option priority '2'
+
 ```
 
 Lower priority is better. This is the value which will decide which backhaul STA
@@ -1168,6 +1171,8 @@ For quick start guide see [here](./docs/QUICK_START.md#traffic-separation).
 
 For more detailed guide see [here](./docs/README-Traffic_Separation.md).
 
+For guest-to-guest isolation see [here](./docs/README-Traffic_Separation.md#wi-fi-guest-to-guest-isolation).
+
 For layer 3 setup guide see [here](./docs/layer3_ts.md).
 
 ## Misc
@@ -1195,6 +1200,35 @@ config agent 'agent'
        option netdev 'wl%_%'
 ```
 
+### AP Follow Backhaul STA DFS Status
+
+In mac80211 based implementations, a Wi-Fi Repeater may not be able to start
+beaconing on the 5GHz DFS channels on its fronthaul side interfaces, when the
+backhaul STA is connected on a DFS channel, which has not cleared DFS.
+
+A solution is implemented in the map-agent to circumvent the issue. When the
+backhaul STA connects, map-agent in the Repeater will find the channel and
+bandwidth of the upstream AP, and in the case of the channel/bandwidth not
+having cleared the DFS, will disconnect its 5GHz backhaul,
+and reconnect over 2.4GHz (if available). A fresh CAC is performed for the
+desired channel/bandwidth. Upon CAC completion, the Repeater device swaps the
+backhaul connection to 5GHz again, where the fronthaul can also start beaconing
+on the just cleared channel/bandwidth.
+
+This functionality is disabled by default, and is enabled through the
+configuration option 'ap_follow_sta_dfs'.
+
+NOTE: The option is recommended to be set only for mac80211 based driver.
+
+```
+config agent 'agent'
+	option enabled '1'
+	option profile '2'
+	option al_bridge 'br-lan'
+	option netdev 'wl'
+	option ap_follow_sta_dfs '1'
+```
+
 ## UBUS
 
 ```
diff --git a/agent.wireless.cfg b/agent.wireless.cfg
deleted file mode 100644
index 1ee93881fd44d65d0eeddc1edb25d380dde0f99c..0000000000000000000000000000000000000000
--- a/agent.wireless.cfg
+++ /dev/null
@@ -1,42 +0,0 @@
-config wifi-device 'wlan0'
-	option type 'mac80211'
-	option channel '11'
-	option hwmode '11g'
-	option country 'DE'
-	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
-	option htmode 'HT20'
-
-config wifi-iface 'default_wlan0'
-	option device 'wlan0'
-	option network 'lan'
-	option ifname 'wlan0'
-	option mode 'sta'
-	option encryption 'psk2'
-	option wps '1'
-	option wps_pushbutton '1'
-	option bss_transition '1'
-	option multi_ap '1'
-	option multi_ap_backhaul_sta '1'
-	option ssid 'dummy'
-	option key 'dummy12345'
-
-config wifi-device 'wlan1'
-	option type 'mac80211'
-	option channel '36'
-	option hwmode '11a'
-	option country 'DE'
-	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
-	option htmode 'VHT80'
-
-config wifi-iface 'default_wlan1'
-	option device 'wlan1'
-	option network 'lan'
-	option ifname 'wlan1'
-	option mode 'sta'
-	option encryption 'psk2'
-	option wps '1'
-	option wps_pushbutton '1'
-	option multi_ap '1'
-	option multi_ap_backhaul_sta '1'
-	option ssid 'dummy'
-	option key 'dummy12345'
\ No newline at end of file
diff --git a/controller.wireless.cfg b/controller.wireless.cfg
deleted file mode 100644
index 3762651d9dbf99b99e983bc8b1ae40a4c4e6ba46..0000000000000000000000000000000000000000
--- a/controller.wireless.cfg
+++ /dev/null
@@ -1,71 +0,0 @@
-config wifi-device 'wlan0'
-	option type 'mac80211'
-	option channel '11'
-	option hwmode '11g'
-	option country 'DE'
-	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
-	option htmode 'HT20'
-
-config wifi-iface 'default_wlan0'
-	option device 'wlan0'
-	option network 'lan'
-	option ifname 'wlan0'
-	option mode 'ap'
-	option ssid 'iopsysWrt-0022077E9CD6'
-	option encryption 'psk2'
-	option key '2TBJG6DKTKIC75'
-	option wps '1'
-	option wps_pushbutton '1'
-	option ieee80211k '1'
-	option bss_transition '1'
-	option multi_ap '2'
-	option multi_ap_backhaul_ssid 'MultiAP-0022077E9CD6'
-	option multi_ap_backhaul_key 'multiap_key123'
-
-config wifi-iface 'default_wlan0_1'
-	option device 'wlan0'
-	option network 'lan'
-	option ifname 'wlan0_1'
-	option mode 'ap'
-	option ssid 'MultiAP-0022077E9CD6'
-	option encryption 'psk2'
-	option key 'multiap_key123'
-	option ieee80211k '1'
-	option bss_transition '1'
-	option multi_ap '1'
-
-config wifi-device 'wlan1'
-	option type 'mac80211'
-	option channel '36'
-	option hwmode '11a'
-	option country 'DE'
-	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
-	option htmode 'VHT80'
-
-config wifi-iface 'default_wlan1'
-	option device 'wlan1'
-	option network 'lan'
-	option ifname 'wlan1'
-	option mode 'ap'
-	option ssid 'iopsysWrt-0022077E9CD6'
-	option encryption 'psk2'
-	option key '2TBJG6DKTKIC75'
-	option wps '1'
-	option wps_pushbutton '1'
-	option ieee80211k '1'
-	option bss_transition '1'
-	option multi_ap '2'
-	option multi_ap_backhaul_ssid 'MultiAP-0022077E9CD6'
-	option multi_ap_backhaul_key 'multiap_key123'
-
-config wifi-iface 'default_wlan1_1'
-	option device 'wlan1'
-	option network 'lan'
-	option ifname 'wlan1_1'
-	option mode 'ap'
-	option ssid 'MultiAP-0022077E9CD6'
-	option encryption 'psk2'
-	option key 'multiap_key123'
-	option ieee80211k '1'
-	option bss_transition '1'
-	option multi_ap '1'
diff --git a/docs/README-Traffic_Separation.md b/docs/README-Traffic_Separation.md
index bbcdcc805c77902eb60c85c95d0933041b0854ce..97acfcb24568e4ae85e37ebf153e39b4fa27f90d 100644
--- a/docs/README-Traffic_Separation.md
+++ b/docs/README-Traffic_Separation.md
@@ -102,10 +102,10 @@ be appended or untagged at the bridge and each specified port.
 |--------|---------|-------------|
 | name   | string  | Unique section identifier |
 | device | string  | Map to a device section with the same name |
-| vlan   | integer | VLAN ID for which this section dictates tagging ruels |
+| vlan   | integer | VLAN ID for which this section dictates tagging rules |
 | flags  | string  | List of egress and ingress rules for the bridge.<br /> 'untagged' = Packets egress untagged for specified VID<br /> 'pvid' = Add VID tag for ingressing untagged frames |
 | local  | boolean | Whether any tagging rules should be applied at bridge level for this VLAN ID |
-| ports  | string  | List of ports and port desired VLAN ID handling at port level<br /> '*port*:t' = Keep VID tag intact for ingressing and egressing traffic<br /> '*port*:*' = Add VID tag for ingress and remove tag on egress<br /> '*port*' = Add VID tag for ingress and remove tag on egress |
+| ports  | list  | List of ports and port desired VLAN ID handling at port level<br /> '*port*:t' = Keep VID tag intact for ingressing and egressing traffic<br /> '*port*:*' = Add VID tag for ingress and remove tag on egress<br /> '*port*' = Add VID tag for ingress and remove tag on egress |
 
 Map-agent will create these sections for each passed VLAN ID within the Traffic
 Separation TLV. At the Ethernet port level map-agent will add egress and ingress
@@ -189,3 +189,90 @@ tags are dropped. In example above *eth2* will:
 
 For wireless port *wl0.2*:
 * Transfer untagged traffic to vid 50.
+
+
+## Wi-Fi Guest-to-Guest Isolation
+
+With Wi-Fi guest-to-guest isolation enabled, clients within the same guest VLAN
+ID may not send or receive traffic from one another.
+
+Guest-to-guest isolation will set the wireless configuration option `isolate` to
+1 to prevent intra-BSS traffic between STAs. Additionally, `ebtables` filter
+rules are added to prevent communication between WiFi guest STAs connected to
+different devices.
+
+This feature does not affect Wi-Fi clients on the primary VLAN.
+
+### Configuration
+
+This can be enabled with the map-agent UCI configuration's (global section)
+option name 'guest_isolation'.
+
+```
+config agent 'agent'
+        option enabled '1'
+        option brcm_setup '1'
+        option al_bridge 'br-lan'
+        option netdev 'wl'
+        option island_prevention '0'
+        option eth_onboards_wifi_bhs '1'
+        option guest_isolation '1'
+```
+
+### Implementation
+
+When traffic separation is enabled as provided by **Default 802.1Q Settings TLV**
+and **Traffic Separation Policy TLV** and the option `guest_isolation` is set
+map-agent will create ebtables rules as follows:
+
+```
+root@iopsys-44d43771b730:~# ebtables -L
+Bridge table: filter
+
+Bridge chain: INPUT, entries: 0, policy: ACCEPT
+
+Bridge chain: FORWARD, entries: 4, policy: ACCEPT
+-p 802_1Q -i wl0.2 -o wds+ --vlan-id ! 1 -j DROP
+-p 802_1Q -i wds+ -o wl0.2 --vlan-id ! 1 -j DROP
+-p 802_1Q -i wl1.2 -o wds+ --vlan-id ! 1 -j DROP
+-p 802_1Q -i wds+ -o wl1.2 --vlan-id ! 1 -j DROP
+
+Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
+```
+
+These rules are applied for any fronthaul interface with a guest VLAN ID. The
+ebtable rules will drop any traffic with a VLAN ID tag that differs from the
+primary that is egressing over a 4address mode link. And vice versa, any traffic
+with a VLAN ID tag that differs from the primary ingressing over a 4address mode
+link and egressing over a fronthaul interface with a guest VLAN ID will be
+dropped. This prevents any traffic from flowing over the guest network between
+clients connected at different nodes.
+
+To prevent intra-BSS traffic, hostapd `isolate` option is set over the
+guest fronthaul interfaces to prevent client to client traffic.
+
+```
+config wifi-iface 'wl1_2_ap'
+	option ifname 'wl1.2'
+	option ieee80211k '1'
+	option bss_transition '1'
+	option wps '1'
+	option wps_pushbutton '1'
+	option uuid 'c96f5e29-9c4a-4abf-942d-44D43771B730'
+	option network 'lan'
+	option ssid 'iopsys-vid20'
+	option key '1234567890'
+	option encryption 'sae-mixed+aes'
+	option mode 'ap'
+	option device 'wl1'
+	option multi_ap '2'
+	option ieee80211w '1'
+	option disabled '0'
+	option mbo '1'
+	option wps_device_type '6-0050f204-1'
+	option multicast_to_unicast '1'
+	option isolate '1'                                     # isolate traffic
+	option multi_ap_backhaul_ssid 'MAP-44D43771B730-BH-2.4GHz'
+	option multi_ap_backhaul_key '626fb1949a0f05a0643c067f91c66582fe7f20a2531cdd933b2627b3b9c610b'
+
+```
diff --git a/docs/layer3_ts.md b/docs/layer3_ts.md
index dafa8661bf408fac543aa5902002546549b8c82b..fb76bbb7e7ec19867c6a40ed43ca365e460129b8 100644
--- a/docs/layer3_ts.md
+++ b/docs/layer3_ts.md
@@ -377,7 +377,7 @@ root@iopsys-021000000001:~# cat /tmp/dhcp.leases
 
 By using tcpdump, we can now observe that this clients traffic will now have its
 VLAN ID 20 tag intact over **br-lan**, which means it will not egress through from
-**br-lan** as now egress rules are set for VID 20 on **br-lan**.
+**br-lan** as no egress rules are set for VID 20 on **br-lan**.
 
 ```
 root@iopsys-021000000001:~# tcpdump -nei br-lan icmp