diff --git a/server/dbdata/group.go b/server/dbdata/group.go
index 8e561b6..d8f8f1f 100644
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"regexp"
 	"strings"
+	"strconv"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
@@ -24,11 +25,12 @@ const DsMaxLen = 20000
 
 type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
-	Action string     `json:"action"` // allow、deny
-	Val    string     `json:"val"`
-	Port   uint16     `json:"port"`
-	IpNet  *net.IPNet `json:"ip_net"`
-	Note   string     `json:"note"`
+	Action 		string     `json:"action"` // allow、deny
+	Val    		string     `json:"val"`
+	PortStr    	string     `json:"port_str"`
+	Ports   	[]uint16   `json:"ports"`
+	IpNet  		*net.IPNet `json:"ip_net"`
+	Note   		string     `json:"note"`
 }
 
 type ValData struct {
@@ -161,9 +163,25 @@ func SetGroup(g *Group) error {
 				return errors.New("GroupLinkAcl 错误" + err.Error())
 			}
 			v.IpNet = ipNet
-			linkAcl = append(linkAcl, v)
+			if regexp.MustCompile(`^\d{1,5}(,\d{1,5})*$`).MatchString(v.PortStr) {
+				for _, port := range strings.Split(v.PortStr, ",") {
+					if port == "" {
+						continue
+					}
+					portInt, err := strconv.Atoi(port)
+					if err != nil {
+						return errors.New("端口:"+port+" 格式错误, " + err.Error())
+					}
+					v.Ports = append(v.Ports, uint16(portInt))
+				}
+				linkAcl = append(linkAcl, v)
+			} else {
+				return errors.New("端口: "+v.PortStr+" 格式错误,请用逗号分隔的端口列表,比如: 22,80,443")
+			}
+
 		}
 	}
+
 	g.LinkAcl = linkAcl
 
 	// DNS 判断
@@ -238,6 +256,15 @@ func SetGroup(g *Group) error {
 	return err
 }
 
+func ContainsInPorts(ports []uint16, port uint16) bool {
+	for _, p := range ports {
+		if p == port {
+			return true
+		}
+	}
+	return false
+}
+
 func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	g := &Group{Auth: authData}
 	authType := g.Auth["type"].(string)
diff --git a/server/handler/payload.go b/server/handler/payload.go
index e5ed545..2bca3f6 100644
--- a/server/handler/payload.go
+++ b/server/handler/payload.go
@@ -89,7 +89,7 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
 		// 循环判断ip和端口
 		if v.IpNet.Contains(ipDst) {
 			// 放行允许ip的ping
-			if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
+			if dbdata.ContainsInPorts( v.Ports , ipPort) || v.Ports[0] == 0 || ipProto == waterutil.ICMP {
 				if v.Action == dbdata.Allow {
 					return true
 				} else {
diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index cb28dce..085b22a 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -52,7 +52,7 @@
             <template slot-scope="scope">
                 <el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps</el-row>
                 <el-row v-else>不限</el-row>
-            </template>            
+            </template>
         </el-table-column>
 
         <el-table-column
@@ -72,10 +72,10 @@
             <el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
             <div v-if="scope.row.route_include.length > readMinRows">
               <div v-if="readMore[`ri_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">{{ readMore[`ri_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
-            </div>            
+              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">{{ readMore[`ri_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>
+            </div>
           </template>
         </el-table-column>
 
@@ -87,9 +87,9 @@
             <el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
             <div v-if="scope.row.route_exclude.length > readMinRows">
               <div v-if="readMore[`re_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">{{ readMore[`re_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">{{ readMore[`re_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>
             </div>
           </template>
         </el-table-column>
@@ -100,15 +100,15 @@
             min-width="180">
           <template slot-scope="scope">
             <el-row v-for="(item,inx) in scope.row.link_acl.slice(0, readMinRows)" :key="inx">
-              {{ item.action }} => {{ item.val }} : {{ item.port }}
+              {{ item.action }} => {{ item.val }} : {{ item.port_str }}
             </el-row>
             <div v-if="scope.row.link_acl.length > readMinRows">
               <div v-if="readMore[`la_${ scope.row.id }`]">
                 <el-row v-for="(item,inx) in scope.row.link_acl.slice(readMinRows)" :key="inx">
-                  {{ item.action }} => {{ item.val }} : {{ item.port }}
+                  {{ item.action }} => {{ item.val }} : {{ item.port_str }}
                 </el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">{{ readMore[`la_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">{{ readMore[`la_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>
             </div>
           </template>
         </el-table-column>
@@ -178,7 +178,7 @@
 
       <el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
         <el-tabs v-model="activeTab" :before-leave="beforeTabLeave">
-           <el-tab-pane label="通用" name="general">      
+           <el-tab-pane label="通用" name="general">
                 <el-form-item label="用户组ID" prop="id">
                 <el-input v-model="ruleForm.id" disabled></el-input>
                 </el-form-item>
@@ -234,7 +234,7 @@
                         <el-radio :label="1" border>启用</el-radio>
                         <el-radio :label="0" border>停用</el-radio>
                     </el-radio-group>
-                </el-form-item>            
+                </el-form-item>
             </el-tab-pane>
 
             <el-tab-pane label="认证方式" name="authtype">
@@ -244,43 +244,43 @@
                         <el-radio label="radius" border>Radius</el-radio>
                         <el-radio label="ldap" border>LDAP</el-radio>
                     </el-radio-group>
-                </el-form-item>   
+                </el-form-item>
                 <template v-if="ruleForm.auth.type == 'radius'">
                   <el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
                       <el-input v-model="ruleForm.auth.radius.addr" placeholder="例如 ip:1812"></el-input>
-                  </el-form-item>                
+                  </el-form-item>
                   <el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
                       <el-input v-model="ruleForm.auth.radius.secret" placeholder=""></el-input>
-                  </el-form-item>               
+                  </el-form-item>
                 </template>
 
                 <template v-if="ruleForm.auth.type == 'ldap'">
                   <el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
-                      <el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>    
-                  </el-form-item> 
+                      <el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>
+                  </el-form-item>
                   <el-form-item label="开启TLS" prop="auth.ldap.tls">
-                    <el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>                      
+                    <el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
                   </el-form-item>
                   <el-form-item label="管理员 DN" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
                     <el-input v-model="ruleForm.auth.ldap.bind_name" placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
                   </el-form-item>
                   <el-form-item label="管理员密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
                     <el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd" placeholder=""></el-input>
-                  </el-form-item>                                                
+                  </el-form-item>
                   <el-form-item label="Base DN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
                     <el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
                   </el-form-item>
                   <el-form-item label="用户对象类" prop="auth.ldap.object_class" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
                     <el-input v-model="ruleForm.auth.ldap.object_class" placeholder="例如 person / user / posixAccount"></el-input>
-                  </el-form-item>                  
+                  </el-form-item>
                   <el-form-item label="用户唯一ID" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
                     <el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName / uid / cn"></el-input>
                   </el-form-item>
                   <el-form-item label="受限用户组" prop="auth.ldap.member_of">
                     <el-input v-model="ruleForm.auth.ldap.member_of" placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
-                  </el-form-item>                                                                      
-                </template>                 
-            </el-tab-pane>  
+                  </el-form-item>
+                </template>
+            </el-tab-pane>
 
             <el-tab-pane label="路由设置" name="route">
                 <el-form-item label="包含路由" prop="route_include">
@@ -293,7 +293,7 @@
                     <el-col :span="4">
                       <el-button size="mini" type="info" icon="el-icon-edit" circle
                                 @click.prevent="openIpListDialog('route_include')"></el-button>
-                    </el-col>                    
+                    </el-col>
                 </el-row>
                 <templete v-if="activeTab == 'route'">
                     <el-row v-for="(item,index) in ruleForm.route_include"
@@ -322,7 +322,7 @@
                     <el-col :span="4">
                       <el-button size="mini" type="info" icon="el-icon-edit" circle
                                 @click.prevent="openIpListDialog('route_exclude')"></el-button>
-                    </el-col>                    
+                    </el-col>
                 </el-row>
                 <templete v-if="activeTab == 'route'">
                     <el-row v-for="(item,index) in ruleForm.route_exclude"
@@ -344,16 +344,16 @@
             <el-tab-pane label="权限控制" name="link_acl">
                 <el-form-item label="权限控制" prop="link_acl">
                 <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.3.0/24 端口0表示所有端口</el-col>
+                    <el-col :span="20">输入CIDR格式如: 192.168.3.0/24 端口0表示所有端口,多个端口用,号分隔</el-col>
                     <el-col :span="4">
                     <el-button size="mini" type="success" icon="el-icon-plus" circle
                                 @click.prevent="addDomain(ruleForm.link_acl)"></el-button>
                     </el-col>
-                </el-row>  
+                </el-row>
 
                 <el-row v-for="(item,index) in ruleForm.link_acl"
-                        :key="index" style="margin-bottom: 5px" :gutter="5">
-                    <el-col :span="11">
+                        :key="index" style="margin-bottom: 5px" :gutter="1">
+                    <el-col :span="10">
                     <el-input placeholder="请输入CIDR地址" v-model="item.val">
                         <el-select v-model="item.action" slot="prepend">
                         <el-option label="允许" value="allow"></el-option>
@@ -361,10 +361,10 @@
                         </el-select>
                     </el-input>
                     </el-col>
-                    <el-col :span="3">
-                    <el-input v-model.number="item.port" placeholder="端口"></el-input>
+                    <el-col :span="6">
+                    <el-input v-model="item.port_str" type="textarea" :autosize="{ minRows: 1, maxRows: 2}" placeholder="多端口,号分隔"></el-input>
                     </el-col>
-                    <el-col :span="8">
+                    <el-col :span="6">
                     <el-input v-model="item.note" placeholder="备注"></el-input>
                     </el-col>
                     <el-col :span="2">
@@ -378,7 +378,7 @@
             <el-tab-pane label="域名拆分隧道" name="ds_domains">
                 <el-form-item label="包含域名" prop="ds_include_domains">
                     <el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
-                </el-form-item>                
+                </el-form-item>
                 <el-form-item label="排除域名" prop="ds_exclude_domains">
                     <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
                     <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的windows和MacOS桌面客户端，不支持移动端.</div>
@@ -392,7 +392,7 @@
                 <el-button @click="closeDialog">取消</el-button>
             </el-form-item>
           </el-tabs>
-        </el-form> 
+        </el-form>
     </el-dialog>
     <!--测试用户登录弹出框-->
     <el-dialog
@@ -414,7 +414,7 @@
                 <el-button @click="authLoginDialog = false">取 消</el-button>
             </el-form-item>
         </el-form>
-    </el-dialog> 
+    </el-dialog>
     <!--编辑模式弹窗-->
     <el-dialog
     :close-on-click-modal="false"
@@ -462,10 +462,10 @@ export default {
       readMinRows : 5,
       maxRouteRows : 2500,
       defAuth : {
-                type:'local', 
+                type:'local',
                 radius:{addr:"", secret:""},
                 ldap:{
-                      addr:"", 
+                      addr:"",
                       tls:false,
                       base_dn:"",
                       object_class:"person",
@@ -474,7 +474,7 @@ export default {
                       bind_name:"",
                       bind_pwd:"",
                       },
-      },          
+      },
       ruleForm: {
         bandwidth: 0,
         bandwidth_format: '0',
@@ -488,7 +488,7 @@ export default {
       },
       authLoginDialog : false,
       ipListDialog : false,
-      authLoginLoading : false,      
+      authLoginLoading : false,
       authLoginForm : {
         name : "",
         pwd : "",
@@ -506,7 +506,7 @@ export default {
           {required: true, message: '请输入密码', trigger: 'blur'},
           {min: 6, message: '长度至少 6 个字符', trigger: 'blur'}
         ],
-      },         
+      },
       rules: {
         name: [
           {required: true, message: '请输入组名', trigger: 'blur'},
@@ -524,22 +524,22 @@ export default {
         ],
         "auth.radius.secret": [
           {required: true, message: '请输入Radius密钥', trigger: 'blur'}
-        ],        
+        ],
         "auth.ldap.addr": [
           {required: true, message: '请输入服务器地址(含端口)', trigger: 'blur'}
-        ],  
+        ],
         "auth.ldap.bind_name": [
           {required: true, message: '请输入管理员 DN', trigger: 'blur'}
         ],
         "auth.ldap.bind_pwd": [
           {required: true, message: '请输入管理员密码', trigger: 'blur'}
-        ],         
+        ],
         "auth.ldap.base_dn": [
           {required: true, message: '请输入Base DN值', trigger: 'blur'}
         ],
         "auth.ldap.object_class": [
           {required: true, message: '请输入用户对象类', trigger: 'blur'}
-        ],        
+        ],
         "auth.ldap.search_attr": [
           {required: true, message: '请输入用户唯一ID', trigger: 'blur'}
         ],
@@ -554,7 +554,7 @@ export default {
       }
       if (row.auth.type == "ldap" && ! row.auth.ldap.object_class) {
         row.auth.ldap.object_class = this.defAuth.ldap.object_class;
-      }      
+      }
       this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
     },
     handleDel(row) {
@@ -572,9 +572,9 @@ export default {
         console.log(error);
       });
     },
-    handleEdit(row) {      
+    handleEdit(row) {
       !this.$refs['ruleForm'] || this.$refs['ruleForm'].resetFields();
-      console.log(row)      
+      console.log(row)
       this.user_edit_dialog = true
       if (!row) {
         this.setAuthData(row)
@@ -586,7 +586,7 @@ export default {
         }
       }).then(resp => {
         resp.data.data.bandwidth_format = this.convertBandwidth(resp.data.data.bandwidth, 'BYTE', 'Mbps').toString();
-        this.ruleForm = resp.data.data;        
+        this.ruleForm = resp.data.data;
         this.setAuthData(resp.data.data);
       }).catch(error => {
         this.$message.error('哦，请求出错');
@@ -654,7 +654,7 @@ export default {
             if (!valid) {
                 console.log('error submit!!');
                 return false;
-            }        
+            }
             this.authLoginLoading = true;
             axios.post('/group/auth_login', {name:this.authLoginForm.name,
                                             pwd:this.authLoginForm.pwd,
@@ -663,7 +663,7 @@ export default {
                     if (rdata.code === 0) {
                         this.$message.success("登录成功");
                     } else {
-                        this.$message.error(rdata.msg);                
+                        this.$message.error(rdata.msg);
                     }
                     this.authLoginLoading = false;
                     console.log(rdata);
@@ -679,7 +679,7 @@ export default {
         if (!valid) {
           console.log('error submit!!');
           return false;
-        }        
+        }
         this.authLoginDialog = true;
         // set authLoginFormName focus
         this.$nextTick(() => {
@@ -690,14 +690,14 @@ export default {
     openIpListDialog(type) {
       this.ipListDialog = true;
       this.ipEditForm.type = type;
-      this.ipEditForm.ip_list = this.ruleForm[type].map(item => item.val + (item.note ? "," + item.note : "")).join("\n");      
+      this.ipEditForm.ip_list = this.ruleForm[type].map(item => item.val + (item.note ? "," + item.note : "")).join("\n");
     },
     ipEdit() {
         this.ipEditLoading = true;
         let ipList = [];
         if (this.ipEditForm.ip_list.trim() !== "") {
             ipList = this.ipEditForm.ip_list.trim().split("\n");
-        }        
+        }
         let arr = [];
         for (let i = 0; i < ipList.length; i++) {
           let item = ipList[i];
@@ -714,7 +714,7 @@ export default {
           };
           if (this.ipEditForm.type == "route_include" && ip[0] == "all") {
             pushToArr();
-            continue;  
+            continue;
           }
           let valid = this.isValidCIDR(ip[0]);
           if (!valid.valid) {
@@ -768,14 +768,14 @@ export default {
       var isSwitch = true
       if (! this.user_edit_dialog) {
         return isSwitch;
-      }      
+      }
       this.$refs['ruleForm'].validate((valid) => {
         if (!valid) {
           this.$message.error("错误：您有必填项没有填写。")
           isSwitch = false;
           return false;
         }
-      });      
+      });
       return isSwitch;
     },
     closeDialog() {