I am on the topology below trying to configure a unidirectional ACL rule. However it forces me to a bi-directional deny. The answer on other post mentions it should work with tp-link router, assuming it is statefull. But it doesn't work with ER605 router as in the topology below.

• iot-vlan
• internal-vlan
• default-vlan

Configuration:

Expected behavior:

• iot-vlan cannot ping internal-vlan or default-vlan
• internal-vlan and default-vlan can ping iot-vlan

Observed behavior:

• iot-vlan cannot ping internal-vlan or default-vlan
• internal-vlan and default-vlan cannot ping iot-vlan

Extra info:

ER605 - hardware v2.0, firmware v2.2.5

EAP610(2x) - hardware v2.0(U.S.), firmware 1.1.7

Obs:

I'm 90% sure it was working correctly before updating from 2.2.3(ER606). It may also be because the main AP was marked as type `Gateway` (whatever this may be). I should test this config later and let you know as well.