I have transitioned from using a Draytek Liux router to a DrayOS based one (2960 to 3910) and getting used to the differences.

Firstly I want to see in syslog any traffic from the WAN ports that is not allowed by the firewall, so have created a Block immediately catchall rule at the bottom of my filter set. Firstly this now seems to be blocking some but not all return traffic - ie if a client VPN is used I see traffic being blocked from the remote VPN server tot he PC if this catch all rule is enabled. However other traffic, liek return web traffic gets through OK. Disabling it stops this blocking.

I assume DrayOS firewalls do not need a catchall rule, however without one how would I ensure that SYSLOG captures all unintended traffic.

Secondly with this catch all in place - ie blocking immediately any traffic that is not explicitly allowed in an earlier rule, I have tried the Firewall -> Diagnose function. for instance to see what would happen in a WAN->LAN direction say for ICMP from 8.8.8.8 to any internal address - which isn't allowed in my rule set so should match my catchall block. However diagnose just says "This packet is not handled by the firewall" This I find confusing, since it will match my catchall rule so I would expect diagnose to say that. Any advise appreciated.

Adding a bit more to this - so far I have not been able to get the Firewall -> Diagnose to say anything other than 'Packet is not handled by the firewall. I have tried setting direction to be From WAN and entering details that match a specific firewall rule for a specific port, and IP address and even though the firewall rule is active I get the 'This packet is not handled by the firewall.

Possibly my understanding but I interpreted this Diagnose option as one that teted a packet against all firewall rules.

This is on a 3910 running firmware 3.9.7.2

The IP address of the internal device needs to be the Router's WAN IP, not the private IP address of the internal device.

Also, if you have multiple WANs UP, the diagnose function doesn't seem to work at all (at least I can't get it to work).

Ah thank you that will help - I was morroring source & destination as per the firewall rules
I do have multiple WAN links up so will have to check if that's causing an issue also.