Is that to a SIP phone behind the router or the router's own VoIP ports? Because the firewall doesn't affect the router's internal voip ports, you'd need to use the call barring stuff to do that.

I'm assuming you are using external SIP device? If so I do the blocking the the other way round:
First rule is set to 'pass immediately' any incoming traffic from my chosen VoIP provider source IP with the (internal) destination IP of my PBX & UDP port 5060.
Second rule is set to 'block immediately' any source IP to any destination IP with UDP port 5060.

UDP port 5060 is the troublesome one, so all wanted traffic if passed by first rule & everything else is blocked by the second.
On an average day there must be about 10~20 random probes to port 5060 which get blocked ( & logged by syslog).

Not sure... I think it may be the case that if you have outgoing port 5060 traffic (e.g. SIP registration requests) then these may have punched a hole through the firewall so that return traffic from the same IP follows the NAT path rather than hitting the firewall. Are you logging any other port 5060 probes that are being blocked (you may have to wait 24 hours or so...)? In any case can you post pics of your rules again so we can review?
Chris

The screenshots show filter set 1 - which is the call filter, this isn't the same as the data filter, so possibly try putting the rules in filter set 2 or under firewall general setup, switch the filter sets around that each one links to so that filter set 1 links to the data filter.