Ok, so the final update, I have everything fixed now (at least till now)☺
So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs
apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header)
after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue.
Thanks everyone for the help