At last half a solution, Disable secure vpn and set the allowed ip to the router internal address this will disable remote login but you will still fail the PCI check for that you need to install a valid x609 cert. Surely there should be a way to block 443 to all but certain IP's but nothing I have tried works and Draytek support are unhelpful to say the least. I have now started to roll out Cisco 5506's as they work and are secure they are also a damn sight more logical to setup rules on.

C'mon Draytek get your act together!!!

The access list on the management page is how you would control access to the router's management interface, the firewall doesn't apply to the management interfaces

Yeah just try that and then test the results also the 2860 does not show this behavior this is not me not knowing how to do it its the 2830 that is broke and Draytek dont seem to want or be able to fix it - The 2860 works as designed and works well the 2830 dosen't period so now I have 11 junk routers and a complete lack of faith in this company and their support