Hi, hoping someone could help clarify a limitation with the Draytek Vigor 2860 firewall, or whether I am doing something wrong. I will simplify the use case to make it easier to follow.

I am using Content filtering (URL Filter & DNS Filter) to selectively block access to Youtube & Facebook. Each rule works fine on it's own, but the firewall fails if I enable them both.

If rule 1 is the Youtube block and I select pass immediately then Youtube is blocked but not Facebook.
If rule 1 is changed to Pass if no further match then Youtube is no longer blocked but Facebook is.
Doesn't seem to make a difference if the rules are in the same firewall set or split into different sets.

Right now, my workaround idea is to use keyword groups and have all my filters in a single firewall rule. But this really curtails flexibility. So before I switch to this model, it would be helpful to know for sure whether a packet can be inspected against more than 1 firewall rule that has a content filter. Seems bizarre that this wouldn't be the case.

Thanks

A quick update in case anyone encounters the same issue. I ended up having to move all the content filters into a single rule in order to get it working. There seems to be no other way.