The RAP are in bridge mode and all SSID's are in used in permanent config.
Here is the result of "show rights authenticated"
http://pastebin.com/s0RwDeab
I actually began with my an acl which permited everything this way:
User any any permit
network 192.168.1.0 255.255.255.0 user any permit
But it didn't worked, so I just tried with the authenticated rôle and it seems that I've an issue with my configuration.
As I said it before, internal traffic isn't denied, because everything works fine with all the clients on the wifi, but if someone outside connected on the LAN throught ethernet try to do something with my clients it's always in denied.
And the printers do use broadcast on the network. I don't have any checkbox which drops broadcast in the vAP, I only have
"Convert Broadcast ARP requests to unicast"
checked in the vAP"
Thanks.