So how does one use Switch ACL to allow one IP to go through? I have a SG2008 switch

I created a Gateway ACL with Deny from IoT to Main

I then created a Switch ACL with Permit for IoT:IP/32 to Main:IP/32 

I can't ping Main:IP from IoT:IP

Or would I need to nix the Gateway ACL and think of what devices I want from IoT to be able to communicate with Main (e.g., like my hubs) ... or just hope that LAN-LAN IP Groups are coming to the Gatway at some point....

  @GoodOmens I have a feeling that in order to achieve that you may need to do intra-vlan routing on the switch rather that on the gateway :(

  @theradioguy It seems my pleads were answered. Controller 6.1 just released has Gateway level IP Groups, ports etc. My above scenario works as intended - I can whitelist specific IoT VLAN IPs (and I guess ports if I wanted) to override the blanket IoT->Main deny.

@GoodOmens Thanks for posting the message; it made me look for more information on the topic. A Christmas present? xD
 

Finally we see ACL router... joy for my eyes!

I have to try it but I have confirmed the information in:

See: https://community.tp-link.com/en/business/forum/topic/850962

New Features

37. Added support for IP-Group-based ACLs on gateways: when direction is LAN→LAN, source and destination types can now be IP group, IP-port group, IPv6 group, or IPv6-port group in Site > Network Config > ACL.

  @GoodOmens 

Hi mate, thanks a lot for sharing this update, this is honestly a huge improvement that I’ve been waiting for for months.

Quick question: do you have an estimated timeline for when Controller v6.1 (official/stable) will be released?

I’m currently running an OC200 hardware controller and I’m not enrolled in the beta program, so the update isn’t available yet on my side.

I’m just trying to plan ahead before making any changes to a production network.

Thanks in advance!