@theradioguy 

yes i agree that it is a significant problem when router acl lacks this option. it will probably come but i don't know when. emergency solution is to use switch acl or eap acl. it works but is not optimal

  @theradioguy  it's such a shame .. i want to use a single adguard dns server for all vlans but as  im not allowing any type of communication between vlans in gateway acl i cant , i had to create an adguard server for each vlan .. , its annoying to use swtich acl specially if you have lots of devices in each vlan ..   i hope they add this feature asap ... it is a basic feature to have.. block the whole traffic but except to that specific IP group .  

  @invadia 

Yes, it's unfortunate that groups aren't in place in LAN-LAN yet, rumors say that it will come in the 5.16.x version, but it could easily take another year, in the meantime you can create your own VLAN that you have the Adguard server in, then you block all networks except the VLAN that the Adguard server is in.

in this VLAN you can also have other shared resources

Can't believe such basic feature was not implemented right from the beginning. Hell, it is not even a "feature", it is the most basic thing.
Omada is supposed to be a "business" grade solution yet they have so many misses - this one and proper QOS (like how it is done in Cisco) are the most painful 

P.S. A stupid idea but if this is allowed on a switch ACL only - what if I put a small 4 ports Omada switch between my ER Omada gateway and other (non-Omada) switch?

  @Augustine_Heigh 

SG2008 and higher switches will allow you use use the ACLs in the way you want.  ES series switches do not support ACLs.

  @GRL It looks like TP-Link deliberately moving part of gateway (routing!) functions to switches? But you need L3 switch to do that which may be an overkill for a home setup.

BTW, Thank you VERY much for mentioning that, you literally saved me from buying a useless ES switch!!

Is there any feature matrix where we could see what feature is supported on what device?