I have a NAT rule to send 3389 from outside my network to a particular system behind the TL-ER5120. I then have an Access Control setup only to allow 3389 to that computer, through my WAN, if I'm connected to my VPN provider. That way, if my Citrix desktops are down, I can still get in through 3389 if I connect to my VPN.
The worked perfectly on my last TP-Link load balance router (TL-R470T+), but just does not work on the TL-ER5120. It doesn't matter what the access control rule is set to... if the NAT rule is enabled, the port is open to any outside IP address.
I'm 99.9999% certain I'm not doing this wrong. It's pretty cut and dry. Hopefully I'm wrong.