I will try to get some images of that put together today.  I think I mostly have it working now, but what would be helpful is know the order in which various services are processed.  IE: does it go {WAN Interface} -> NAT -> Gateway ACL -> Switch ACL?

I will try to describe my topology:

Internet with multiple IP's -> ER707-M2 (Gateway) -> Omada 24 port switch

I have multiple AP's hanging off the switch.

DMZ: 192.168.2.0/24

Corp LAN(s): 10.1.0.0/16

PUBLIC_IP 2: One to One NAT to 192.168.2.3

The DMZ Network in question (we call it EngageNet) is simply defined as a VLAN with ACLs to allow no communication from the DMZ to the Corp LAN, but we do allow established communication INTO the DMZ from the Corp LAN

So, 10.1.0.0/16 -> 192.168.2.0/24 is allowed, but

192.168.2.0/24 -> 10.1.0.0/16 is not allowed unless initiated from the Corp LAN.

I currently have a Switch ACL allowing certain ports (80,448,3478,5900) from IPGroup_any to 192.168.2.3/32 and then a rule denying all traffic to 192.168.2.0/24.

This seems to work.

I also have a Gateway ACL that specifically blocks port 5900 on WAN_In so that VNC can't happen from the public internet, but it is allowed on the LAN.  This also seems to work.

What I can't figure out is how to selectively block traffic from a specific public IP.  

For instance, (not that I do, but) if I wanted to allow port 5900 on public IP 1, but not on Public IP 2 I am not sure how to do this.

  @Hank21 Ignore the above.  I mostly have this working, but how can I create a Gateway ACL that ONLY applies to a specific static IP.  

An example would be that I have 2 IP addresses, and I want 4.4.4.1 to block port 443 (which it will by default), but I want 4.4.4.2 to allow 443.  Is that possible?  I have tried various things but none seem to work.

Everything I have found is just a blanket allow or deny 443 for every configured Public IP.

For reference here is what I have that is working, but again, it works on all 5 of my public static IP addresses.

  @Hank21 where do I specify the wan ip?  I don't see a way to specify the WAN IP address, so I don't see how I would do that.  Am I missing something?  I only seem to be able to specify WAN IN, not WAN IN 4.4.4.2.

  @Hank21 Doesn't seem to work, or I am doing it wrong.

I have 1 to 1 NAT set up to translate 10.1.10.252 to 4.4.4.2, and DMZ is checked in the 1 to 1 NAT rule:

I have a gateway ACL that denies port 443 on 4.4.4.2:

But I am still able to reach the server at 10.1.10.252 on port 443 via 4.4.4.2 on the public internet.  Am I doing this wrong?

  @Hank21 I am trying to come up with a way to block VNC on my public IP address, but this limitation makes it not work.

I tried to create a rule on the switch that 'allows' ALL traffice from the 10.0.0.0/8 IP addresses to the entire 192,168.2.0/24 subnet.  I then created a deny ANY IP to 192.168.2.3/32, but it doesn't work.  it just denies all traffic.  Which doesn't make sense to me.