I'm having a very similar problem. I've been tasked by my manager to investigate replacing existing kit with the Draytek 2820n. I've been tearing my hair out with these firewall rules.

We operate a whitelist on our existing kit, it opens a text box and you enter as many URLs as you want with just one rule - "allow or deny everything on this list". No messing around making 'objects' and then adding them to what I think are very limited lists like on the Draytek.

In my testing so far the Draytek has been fantastic (VPN, automatic failover, performance), except these firewall rules.

All I want to do is block most categories, but open shopping, and have a defined blacklist (e.g. Ebay, Play.com). This works fine under one rule, but the minute I try to add any more rules (mainly because of the space limitations of how many 'objects' and 'groups' we can add to a list) the results are best described as unpredictable.

Draytek say that we can be 'clever' and chain rules and even sets of rules but this is a major contradiction.

Is it really the case that this model (2820) is broken when it comes to rule-chaining? Does Draytek officially say that?

Thanks everyone!