@jupiter 

It really depends if the ISP device is a MODEM or a ROUTER.

If its a Modem, then fine you can just set forwarding on the Deco as needed.  If its a Router however you will need to consider double NAT and have the ISP router forward to the Deco, then the Deco forward to the client

Dont ever set a forwarding on 80 or 443 as that is internet traffic.. EVERYTHING will then go to your PS5 or whatever you have it set.  You only need to forward the UDP and TCP ports for data, this is usually anything OVER 1024  

For example, PSN just the 3478-3480  ports.. not the 80 443 as these are ports used for all internet traffic by all devices, forwarding them would screw your access :)

  @Philbert PSN is not clear about what ports are inbound what are outbound, I will follow your suggestion!

They statement reported in PSN docs indicates:

:

• TCP: 80, 443, 3478, 3479, 3480
• UDP: 3478, 3479

and many other sources report this. It is not clear if these are outbound rules the playstation uses to connect to services or inbound rules for online gaming, when the playstation is a server. 

My ISP provides a modem router, but I want to use the better features offered by Deco, so I will not connect them in access point mode but in router mode. It means I need a double forwarding: ISP --> Deco and Deco --> Playstation.

The Deco unit should immediately route all the traffic coming from ports 80 and 443 to the fixed IP I assigned by DHCP to the playstation, not to the other IPs I have in teh network because I forward only to binded services IP:port; the risk of an exploit is only on the playstation. I will try to exclude 80 and 443, my son, the main unser of gaming, will report me the results. 

To avoid many forwardings, I will set up a VPN server, unfortunately this is a feature offered by other TPLINK modem, but not by noth X50 and M9: with a "triple forwarding" I will connect another TP-LINK router with wifi disabled and OpenVPN enabled.

jupiter