@CK1710 To do the ACL we may need more details like what IP you want to have access and what IP to block. The information you provided is not enough.

But from my experience there is one thing you need to concern, that tplink siwtch has a default BLOCK ALL ACL entry.

That means on your configurations, if you did not set up a Permit rule, then no data can go through.

TplinkMAC ACL(I think what you want is IP ACL, but basically they are the same steps, just one use IP and one use device MAC).

  @Somnus 

What I explicitly like to do is to provide access to my WLAN speaker with fixed IP 192.168.0.23 only to:

- PC with fixed IP 192.168.0.50

- Mobile Phone with fixed IP 192.168.0.53

- Tablet with fixed IP 192.168.0.54

All other devices PC/ Phones/ TV/ ... in the same IP range 192.168.0.x should not have access to the speaker.

What I tried so far:

Two IP groups: one named "Speaker" with the speaker IP 192.168.0.23/24 and the second group "Devices with Access" with the three IPs from above in each row the IP with /24 behind.

Two Switch ACL: Fist one denying "IPgroup_any" access to group "Speaker", second permitting access of "Devices with Access" group to "Speaker" group

Unfortunately after applying I had to reset my whole network since any communication was blocked. With just having second ACL in place, still all devices do have access to the speaker.

My network setup:

FritzBox - SG2008 - SG2210P - 3x EAP245

PCs are connected to the switches

Mobile phones, tablet and the speaker is connected to one of the EAPs

  @CK1710 The ACL entries will be applied one by one. Your first rule just blocked all access to the speaker so the 2nd one won't work; and since there is a default Deny ALL rule, your other network communication also be blocked.

You need to switch the 1st and 2nd rule, and add a 3rd one that all any IP to any IP.

  @Somnus 

Ah ok, so the logic is proceeded from top to bottom and a item is ignored if IP already included upfront (except IPgroup_any), right?

So, if I like to have an additional rule for one of my mobile phones this will not work?

For example following ACL

1. Permit group1 to group "speaker"

2. Permit group2 (includes one device from group1) to group "printer".

3. Deny IPgroup_any to group "speaker"

4. Deny IPgroup_any to group "printer"

5. Permit IPgroup_any to IPgroup_any

  @CK1710 That's right.

If you want to add your mobile phone, just modify the rule 1 and 2 and add mobile phone's IP to the source group.

  @Somnus 

Ok, it will work with second group. Hm, seems I still have some misunderstandings of that ACL logic .

My understanding now, when doing ACLs:

first define permits, then define denies and finally permit IPgroup_any to IPgroup_any to prevent lock out if none of the prior rules is valid.

Would appreciate if you can confirm or correct if I am wrong.

  @CK1710 You understanding is correct.

  @Somnus 

Many thanks 

  @Somnus 

Sorry to bother you again, but I once more was successfully locking me out .

Just wanted to check with two devices if my understanding is correct and if

it works.

Following steps I followed.

1. Setup group including device with access:

2. Set up group with device where access is controlled:

3. Set up three rules in ACL:

Did I something wrong? (Note: above screen shows ACL disabled, when it happened they have all been enabled )

  @CK1710 I saw your subnet are all /24, that means a whole subnet, but not the IP you put in.

For example if you want to allow 192.168.178.110 to access, you should put in 192.168.178.110/32