@Fae 

Thanks again.

I see intervlan is a valuable feature on the router, I was just wondering why there isn't an easy (one tick) option to block it when people don't need it. But of course, I can use ACL rules.

And I guessed that MTU-VLAN doesn't tag the uplink port, I was just not sure. Now it's clear.

The remaining question is about the online detection method, how to make it more reliable in case of mobile ISP.

I created the ACL rules in Firewall.

It seems to work, however I need some clarification:

- Source network and destination network.

It seems obvious, right? But when I wanted, let's say, to block devices in swirch_1 to reach devices in switch_2, it only worked if I chose switch_2 as source and switch_1 as destination. Which is the contrary that my logic would suggest.

Also I want that devices on the same vlan not to be able to reach each other. In the easy smart switches I have already achieved that but wanted to make sure R605 doesn't overrule that in the layer3 environment. So, does it make sense choosing the same vlan to source and destination in a blocking rule? or was it an overkill silliness of mine? If the router let's me do it, I supposed there must be a sense.

A less important question is why are the Source and Destination columns empty? creating the rule there is no such an option (when choosing LAN->LAN).

Finally, I'd like to create a rule for my laptop's IP address to have access to every vlan. Kind of a management access on the local network.

I created an IP Group but when I go to choose LAN->LAN in Access Control, it doesn't give me the option to choose IP Group, only vlans.

If I choose !LAN->LAN and have to option to put that IP Goup, it doesn't work.

And what is "Me" in the list? is it the IP address of the device with what I accessed the web UI of the router?

Anyway, the router doesn't let me choose this Me either when using LAN->LAN.

I would really like to have some feedback and advise about how to avoid inter-vlan with ACL rules on R605.

Above I posted what I had done but it's not clear what is the best way to do.

And most importantly, as @Fae also suggested to configure the easy smart switches with 802.1Q VLAN instead of MTU-VLAN, I can't do it if I have to create as many rules (twice the number of vlans) as in the example above because if I'm not mistaken, in R605 you can create up to 20 rules only.

In the switches I would need a vlan for each port, so there would be 46 vlans created (preferable with different subnet in /24) and trunked via uplink port of the switches to the LAN port of the R605.

If developers created a one-tick option to stop inter-vlan in LAN->LAN communication, life would be easier. But by now we need to find a work-around.

I had an idea: what if I create a vlan (e.g. VLAN2) that won't be connected to any LAN port and therefore not used by any device, although I could create an ACL rule to block traffic between the source !VLAN2 and destination also !VLAN2. Would it work?

In theory it should mean, any traffic from outside of VLAN2 to outside of VLAN2 would be blocked between vlans in LAN->LAN.

I can't test it right now as the devices are in use but if someone could help me testing or giving valuable feedback, I would appreciate it.

If it worked as I wish, then I could setup the swtiches with 802.1Q VLAN, otherwise it's impossible to stop inter-vlan traffic in R605 for so many vlans.

@Fae 

Please, help in this question:

If I configure the R605 and the connected Easy Smart Switches with 802.1q VLAN as you suggested, following the provided instructions, do I still need to create ACL rules to block inter-vlan traffic or the 802.1q already guarantees that on the R605? And if it doesn't, what is the maximum number of ACL rules that can be created on R605 in standalone mode?