@sl9999 

According to the email I received from support - and as was mentioned earlier in this thread, the router does not currently have the capability to indicate the IP source (internal or external).  They, therefore, suggest that we use Wireshark to capture packets to determine the source. To do this, we need to connect a PC to the router and set port mirroring on the router to capture packets.  For details, on how to do this we can refer to https://www.tp-link.com/en/support/faq/3235/.   They also said that "the mirrored port selects the wan port and the port connected to the router and switch at the same time".  That's unclear to me, but I'm sure they'll tell me about that when they respond.

I have been playing with Wireshark, but I'm not very knowledgeable at this point.  So, I responded that, according to the linked instructions, it appeared that I needed to do the above with the TL-R605's built-in UI (and not the OC200's).  If I read that correctly, I'd have to make the OC200 'forget' the router first.  I may have read the instructions incorrectly, but I'm sure they'll let me know about that too.

  @sl9999 

A quick clarification update:  Support responded and it turns out that you do not need to have the OC200 forget the router.  The port mirroring needed can be done through the OC200 to the router.  However, the PC or laptop with Wireshark loaded on it must be connected directly to an open LAN port on the router.  

With that in mind, I'll read the rest of the instructions at https://www.tp-link.com/en/support/faq/3235/ tomorrow.

Hi @lflorack，

That's great! Please feel free to reply to the support email for further follow-up.

  @Hank21 

Although it's great that the support engineers found that the issue reported here and elsewhere, is that the log recognition mechanism was changed in version 1.3.0 - and that it will be corrected in the next version of the ER605 firmware, I don't think that temporarily disabling the "Block TCP Scan (Stealth FIN/Xmas/Null)" defense option is a sound resolution.  As I understand it, turning this option off defeats the actual defense mechanism and does not just turn off the log warnings.  It would then permit any real attacks of this type to be allowed into my system - not at all an optimal solution.  So, I will leave my settings as they are and try to ignore the excessive and incorrect warnings until the firmware is fixed.  If a beta or pre-release firmware version that addresses this issue safely and correctly is released prior to the next official firmware version, please let me know so that I can more safely address this issue.

Hi @lflorack,

Thanks for your valuable feedback.

You may subscribe to this thread, it will be updated once the Beta/Official firmware of the router is released.