@Fae 

My problem is that I want any VLAN to be able to access the router for DHCP requests, but I want to be able to block access to the router management page from certain VLAN such as the guest network.

I find it really confusing that there is currently no apparent way to achieve this.

Do you know whether/how this can be done?

  @Fae 

Your statement as best answer is misleading.
I have posted my configuration on this forum long time ago and later on I asked the developers to verify and confirm with v1.2.1 that it works for them because for me it does not.
It works on v1.1.1 and after updating the firmware the router does not work.

I also tried disabling the ACL rule before updating the firmware, the router booted up then when I enabled the ACL rule again on the new firmware, after a few seconds it stopped working again.

There is ZERO tutorial on the internet (by TP-Link or by anyone else) apart from my related forum post that would hint how to isolate every vlan from each other on ER605 router in standalone mode.

The ones that exist only say how to isolate one vlan from another but in a config with 50 vlans this is not viable.

  @Fae 

Thanks for your cooperation.

Yes, I also realized that the suggested tutorials don't have the same !vlan as source and destination and I was thinking about it when @Hank21 wrote in a thread that according to the developers the new firmware fixed that issue.
 

I would like to find the solution for that simple case when every vlan can reach the internet but is isolated from each other.
So it would be important to have a tutorial for that (if developers don't create a one tick option for it in the management page).

Now that in ACL setup page there is the option to set "me", I could try using it instead of that phantom vlan (I just created for that purpose), so !me as source (and perhaps !me as destination as well?).
If I can't choose the same !vlan for both source and destination what else would be appropriate to choose? IPGROUP_LAN?

Soon I'll be in the router's location and will try to do some more testing.

Fae wrote

To figure out the issue, I've reported your case to the support engineer for further investigation. If possible, could you please describe the phenomenon of the ACL not working issue in detail so that our engineer can try to reproduce the issue?

As I have reported previously, after enabling that single ACL rule, the router after a few seconds becomes unreachable. No local network, no internet. Reboot doesn't help.
I've tried:

- upgrading to new firmware using the existing configuration
- reset in new firmware and restore backed up configuration from previous firmware
- reset in new firmware and reconfigure the whole network with the numerous vlans
In every situation the router stops working after enabling that ACL rule.

  @Fae 

I don't mind using beta. So if there is one that you can provide me, I'd happily try it.

Also, I don't mind creating 46 (or so) ACL rules to block each vlan from the others but I thought it would "cost" too much resources on the router. As this amount of vlans already causes the router to boot in over 10 minutes. (however upon the boot up, the memory and CPU in normal operation still shows moderate/low usage)

Besides, in my experience in earlier firmwares until v1.1.1 (perhaps until the one before that one) one direction was not enough. In my old configuration where I used MTU-VLAN in the two easy smart switches connected and thus only had needed 3 vlans on the router, if I didn't create the blocking rule for both direction, it didn't stop inter-vlan.

Dear  @Fae ,

I have two discussion points:

1.

Fae wrote

[...]

In Standalone mode, there is a "Me" option for Source/Destination network, which refers to the router management page.

 

You can add an Allow rule then a Block rule to allow only the specific VLAN to access the router management page.

This is not entirely in accordance with my testing (using v1.2.1). I applied the following:

Result: devices outside the IPGROUP_MGMT are getting an IP (DHCP works) but cannot access the internet, tested with one Windows laptop and one Android phone. This issue is separate to the main issue in this thread, should I create a new thread with this info?
My current solution is to use the HTTP service and create a similar HTTPS servic to use for blocking each exposed router webpage port (in my case the default 80 and 443). I then used these services to create the following rules:

These rules successfully block acces to the router webpage login from any network except the MGMT VLAN, while still allowing normal internet access for all devices in the network.

2.

My rules to isolate VLANs now also work, but they appear to work bidirectionally instead of unidirectionally. If I add this rule:

I cannot acces a webpage that is hosted on the IOT network from a device on the Private network. I expected this to be possible since in this blocking rule, IOT is configured as source and Private as destination. What could be wrong here?

  @K_verb 

I didn't understand your example_1 to block management page. In the image it seems you were blocking http and https for everyone outside of MGMT. If you block those ports, how can they use the web services that also require port 80 and 443?
And why didn't you create an Allow rule for Me to MGMT and then in 2. place in the list a Block rule for Me to IPGROUP_LAN?

About your 2. question (that actually is related to the 1. this way),

and it bugged me long ago when I just had to isolate 3 vlans with individual ACL rules and I realized that Source and Direction are the opposite to what we would expect and for me what would be logical.

Look at the suggestion @Fae kindly gave me above, to block VLAN10 (as Source) from !VLAN10 (as Destination). He explains it as to block VLAN10 from everything else.

It means that the one that you want to avoid reaching a specific vlan is configured as Destination and not the Source.

Now, whether it blocks bidirectionally or not, I can't tell until I get to the scene to try the new firmware. But you can check it out.

If it's really bidirectional now (and so it doesn't matter which way you set it up) and there is no other option to block just one direction, that would be a problem for many. (not for me though)

By the way, your printscreen shows beta firmware page with the watermark in the background. The official v1.2.1 is not beta.