@shberge 

Is that possible for you to change port 8043 to another port to avoid your security concerns? It's the HTTPS connection. Will changing this port number make a difference for your firmware upgrade? I know that port is under the Controller settings and is possible to be changed.

I remember ACL applies to WAN>LAN. Create an ACL to stop others from accessing your network? https://www.tp-link.com/us/support/faq/2026/

  @John1234 

yes I changed the port and disabled NAT rule, (but then firmware update also use the new port)
I open NAT only when I need to do firmware updates on the remote site.

but for coves little thoughtful to do it this way.

it does not help to block since the remote site has dynamic IP, if I could use FQDN in the NAT rule it would have been fixed.

It is also not possible to block WAN to LAN in the router, it is only in stand alone mode you can do this.

  @shberge 

I remember that there is a default rule for the Controller ACL, something like all IPs? If not, you can try and create a group with 0.0.0.0/0.0.0.0 and this means IP addresses. Will this resolve the issue you have?

  @John1234 

You can create rules from LAN to WAN but not from WAN to LAN, but anyway such rules will not work when the remote site has dynamic IP. What's the point of making a NAT rule that allow all ip and then blocking the whole world afterwards 

I have solved it for now with deactivating NAT rule, now I know about the new port so then I activate it when a remote device ned Firmware update..