I am testing out an ER8411 in the lab to see if it is an appropriate router for my existing business use case. I am using one-to-one nat to map several public static IPs to internal private IPs for several servers. They include web servers (ports 80 and 443), some SMTP servers, a VOIP server, RDP servers, FTP servers, etc. I would like to open ONLY the ports to each individual server that they are actually serving (ie. the webservers only have ports 80 and 443 open and nothing else). Obviously, if I enable DMZ forwarding in one-to-one NAT, traffic flows properly between WAN and LAN. However, this opens all incoming ports to the server, which seems like a terribly risky approach for security purposes. How do I block all ports to each server and only open up the ones I wish to use for each server? I tried using Access Control rules to open only specified ports, but I was unable to get WAN to LAN traffic flow.

My problem is very similar to the one discussed in this linked thread, but I attempted to use the proposed solution without success. I could not get incoming WAN packets to flow to the desired server ports. https://community.tp-link.com/en/business/forum/topic/506282

The Virtual Servers function is not an option since these servers are on their own unique public IPs and reuse the same ports. DMZ forwarding seems like a very bad idea for security. Access Control rules don't appear to actually open ports. Any advise or assistance would be greatly appreciated.

Thank you! :-)