Arris BGW210-700 not processing Packet Filter Drop rule
We recently switched to AT&T 50Mbps service and the supplied Arris BGW210-700 router. I need to limit the use of Remote Desktop into a Windows 2019 server to a single external IPv4 address. I created 2 Packet Filter rules and a NAT/Gaming Port Forward that I thought should have worked, but I can still RD in from another external IP. I also have a rule to stop all access from a known bad-actor network. Is these Block rules don't work, it is a HUGE security hole for our network.
Can someone tell me what I'm missing from these rules, and why NAT/Gaming Port Forwarding appears to override the blocks?