Hey Guys,
my 2 cents, just a couple things
With most firewalls you should be able to create firewall policy that will block port activity excluding a certain ip/ip range. Unfortunately I do not believe the Hitrons firewall is that flexible, as you are now getting into the territory of a small business class router (QOS, FIREWALL) or separate firewall (you can find used linux based firewalls for $20-$40 all over the place).
You shouldn't need to port foreword with UPnP (I would recommend the opposite, disabling UPnP and using your manual port forwarding as UPnP is usually exploited by virus activity to open ports).
I think the Hitron has an Awesome Wifi Broadcast (mine usually broadcasts -30db- -40db, which probably comes in at about 1watt but guessing) but when you are getting into the world of firewall exceptions, most would usually say bridge it and use a router with either more software or hardware options).
I am on board with the other posters, where I’m not sure if the firewall exception would resolve the issue. Set-up some logging, find out where the traffic is coming from. Wireshark is VERY OVERWHELMING when you first start with it...I remember making the exact same comment when I started, AMAZINGLY I had someone sit myself down for half an hour and show me the in's and out's....there is a reason it is the standard, don’t' worry about small data capture, use your filters, create custom filters, you can filter by SO MUCH, protocol/port/destination/exclusions.
I'm not saying this is happening but it’s something to be aware of. PBX's can be exploited if responding to port scans, the short of it, malicious activity hammers the port usually looking for your VM, then using maintenance proto's either set up FFW, or grab a line to call out to make long distance calls. Does your SIP use TLS?
....now I’m just rambling, I hope this helps.
Andrew
"I'm pretty sure someone legally changed my name ...Andrew FIX IT....that’s all i hear all day"