We have 2 rv320 and 1 rv325 routers.

Up until recently I believed that I set one of those up to allow remote management and restricted that to a pair of remote addresses by setting up an inbound rule of allow for remote address on the specified port then right below it another rule specifying deny to all.

With other devices I have used this would direct the query from the authorized address to open up the login interface and ignore following rules and if not that address then it would encounter the deny rule and prevent access to all.

Recently I discovered that someone had hacked the router because we were 1 firmware rev back from most current.

I was fully convinced that nobody would see the router from the WAN port side so the hack had to be due to someone on the inside either being responsible or taking some action that allowed an invader on the inside of our network were access is granted.

To my surprise, that is not true.   Apparently the listed port is not examined if it is set as the remote access port to the login interface.    

This is really bad.  I only had that open on one router because the job it performs requires me to gain access from a remote site.  Typically I would just deny all remote administration to the WAN side and do for the others but need to be able to access this remotely or spend 3 hours in a vehicle.

Does anyone know of any trick to make this happen?   I believe they turned off the CLI which in some products is the goto for things that do not work in the GUI.  Am I right about that for this model?