I played with the firewall and it seems like it uses ports and IP addresses. IP addresses are very easy to hijack. Some MiTM can hijack the MAC too.

I need the router to allow only users who know the shared key pass through. I want the firewall to try to decrypt the packet and if it fails, then to drop it. This way I know only VPN users have access. Any other means of firewalling are worthless from a security point of view.

Given the fact that the firewall only uses ports and IP addresses to take a decision, maybe, I don't know, the router will inherently, by default allow only packets that were successfully decrypted on a given interface that has encrypted tunnel enabled on it. I don't know how the tp-link router handles this, this is why I ask. I need controll access, not anonymity of payload data. I would use PPPoE Server service offered by other tp-link router models, where it is clearly stated in the configuration menu that only users with a password can pass, but PPPoE control bytes are not encrypted and therefore easy to hijack.