@Domada 

There is something missing on the router ACL, wan/in does not work on the wan interface itself but from wan to lan, port NAT and things like that will be blocked from country. If I compare with e.g. unifi, there is acl for internet local, translated to tp-link, wan local that we need to make this work. For now, there is no way to block access to wan directly, that is, there are some settings under Attack Defense that can block ping. There are still some ACLs missing on the router, strange that it is not prioritized.

  @MR.S

 That's bad that you cannot customize the ACL on the wan interface itself. Also, it can potentially have negative impacts on the router DOS 

To reduce the noise I can only disable the notification "gateway detected attack" but that category includes other attacks I want to watch out for if it's occurring in bulk. Unless there is something else I can do. 

  @Domada 

basically everything should be blocked on the wan interface so it shouldn't be necessary to block anything, but i use wan local or internet local as it's called on unifi quite a lot to open up for ping ssh or web management to the router from the administration network i have. but location acl with wan/in works pretty well i think. i have blocked the whole world with wan/in and opened up only for my home country,

to avoid the warning you can disable this, the router does what it's supposed to and then blocks :-)

  @MR.S 

Well its two different things, as you are aware the router is receiving the traffic from China, determing it as a WAN ping attack and then dropping it. I should be able to make an ACL which denies all the traffic from China without the router receiving it and reading the traffic. It puts more work on the router to do it the way it is now, hence why I said it can impact performance. I should be able to place an ACL which completely overrides this and requires no need for the router to determine if its a WAN ping attack on WAN interface as you mentioned and simply deny the traffic and not see any alerts. 

I appreciate your response but it's not much of a solution to disable all "Gateway Detected Attack" notifications. Surely, there should be some other way to make it work better. 

Can anybody from TPLink advise? 

  @GRL 

it was cool that you can block the Gateway Management Page on the WAN interface too, I didn't know that. learn something new every day :-)

This way I can also ensure that the VPN cannot connect from countries other than the ones I have chosen. Now I suddenly got a much more secure network.

  @GRL 

I turned that setting on for the day and it seemed to have gotten rid of the alerts. 

It's interesting. The docs isn't too clear on that it will block on the wan interface from the internet:

Gateway Management Page:This option will allow/block LAN network devices to access the gateway management page.

but it seems to work. 
 

Thanks a lot!

Glad it helped you both !

Another one that also works is you can make an ip group with your wan ip and block wan in to that, but it seems to function the same way as the gateway management page one, uses up an ip group and is only applicable if you have a static public ip