I have an ER7206 that I setup a virtual server on and I need to restrict it to specific IPs that are allowed to connect, and block everything else.

Under NAT->Virtual Servers I have an IP set for the station I want external access to

Under Service Type I added the service and port information

Under IP Groups I have a group (PUBLICIPS) set with the public IP range I want to have access to the server (after adding the IPs into the IP Addresses list)

Under IP Groups I have the IP set of the machine I want external access to

Under Firewall->Access Control I have 2 rules

Rule #1 allows the traffic to the server.

Direction is WAN IN

Source is the IP group (PUBLICIPS) that I want to allow access from

Destination is the IP of the server I want to connect to

Rule #2 is the blocking rule

Direction is WAN IN

Source is IPGROUP_ANY

Destination is the IP of the server from Rule #1

With this config I can still connect from any external IP. It's not blocking IPs outside of the PUBLICIPS group. I even tried connecting from my cell phone (not on wifi) and I'm able to conenct.

If I disable the virtual server i do lose access, so at least that is working.