newby alert !  Rusty in networking and new to tp-link omada.

Goodday,

I'm struggling configuring the firewal->access contol.  Part, if not all, of the problem is that I cannot find proper documentation. I collect bits and pieces from forums like this. Lack of knowledge combined with unexpected features makes it hard for me to setup and debug.

An example:

I have a LAN and a couple of VLANs setup, router interfaces 192.168.x.1/24.

I have access via VPN, and have configured the IP range used in a group IPGROUP_VPN.

I have found the use of 'me' documented somewhere, cannot remember where.

Safety first, so I create a rule to allow access to the router.

except that it doesn't. Apparently my understanding of 'me' is wrong. The router interfaces are not included in 'me' and this rule does not allow access to the router. Yes, I have locked myself out at some time with a deny rule farther on in the list. I had to go onsite to undo the change.

Trying to pick myself up, and still in need of a safety net, I created IPGROUP_ROUTER which contains the IP addresses of the (V)LAN interfaces of the router. In preferences->IP group->IP address I created a 'range' consisting of only 192.168.x.1 for each of the (V)LANS and made them a member of group IPGROUP_ROUTER. When I substitute Me with IPGROUP_ROUTER, I can ping the router, access the management interface, and so on. Great. 

I leave the ping running (ping 192.168.x.1 -t) and revert the rule to what's shown above. Ping does not stop. Best guess: some table considers this ping as established and no need to reconsider access. Understandable but confusing. After some time, where 'some' is yet to be determined, that state is cleared and ping no longer works to that interface.

This was just an example, misunderstanding 'Me' and getting bitten by some state caching. I cannot be the only one, can I ?

There may be a better way to configure such a safety net, please enlighten me, but the rule as shown should have worked according to what I believed (past tense) to be true.

All of my experimenting may have failed due to both misconceptions ('Me' and the state caching).

Yes, I have searched for documentation but no, the user guide is not what I need. Please direct me to a complete documentation so to avoid further rookie mistakes. Thanks.