So how does one use Switch ACL to allow one IP to go through? I have a SG2008 switch

I created a Gateway ACL with Deny from IoT to Main

I then created a Switch ACL with Permit for IoT:IP/32 to Main:IP/32 

I can't ping Main:IP from IoT:IP

Or would I need to nix the Gateway ACL and think of what devices I want from IoT to be able to communicate with Main (e.g., like my hubs) ... or just hope that LAN-LAN IP Groups are coming to the Gatway at some point....

  @GoodOmens I have a feeling that in order to achieve that you may need to do intra-vlan routing on the switch rather that on the gateway :(

  @theradioguy It seems my pleads were answered. Controller 6.1 just released has Gateway level IP Groups, ports etc. My above scenario works as intended - I can whitelist specific IoT VLAN IPs (and I guess ports if I wanted) to override the blanket IoT->Main deny.

@GoodOmens Thanks for posting the message; it made me look for more information on the topic. A Christmas present? xD
 

Finally we see ACL router... joy for my eyes!

I have to try it but I have confirmed the information in:

See: https://community.tp-link.com/en/business/forum/topic/850962

New Features

37. Added support for IP-Group-based ACLs on gateways: when direction is LAN→LAN, source and destination types can now be IP group, IP-port group, IPv6 group, or IPv6-port group in Site > Network Config > ACL.