I think your problem is caused from your role configuration. Please verify which Role is assigned to your clients and go to your role settings. There is a checkbox for "Allow Client to Client".
Thank you SO much! I can't believe I missed it - how obvious is "Allow Client to Client on the same AP"????! :-)