I Can't seem to get this to work.
What is the firewall rule to Bock ALL RDP ( Port 3389 ) access to the internal server on 192.168.0.x EXCEPT from 101.0.0.1 ?
There is one internal connection ( LAN1 ) and two external Connections ( WAN 1 and WAN 2 ) to separate Routers / ISPs.

TIA

You need two rules. The first one does an accept and allows only the permitted IP to access the RDP port, the second one does a drop for anything else going to the RDP port. Struggling to find a single rule to do something usually means that you need two or more, and sometimes even a side chain to simplify things.

One NAT rule is enough: HTH,

Thanks.
Digging into the setup of this router further i see that WAN 1 is bridged. would this be why the rules aren't applying ?

But can't one simply use a bang (!) to say Drop where IP NOT = 101.0.0.1 ?
Surely that's simpler.

This rule states that RDP Dst-NAT is possible only when src-address is 101.0.0.1,
for other addresses it doesn't work, that's all.

HTH,

Thanks. I do understand the rule.
( My reference to the Bang was in reply to the first responders message about two rules )