[DNAT] "Register rule" doesn't seem to respect sequence ordering

[d0shie]

As title suggests, in the past couple of days I've been noticing unknown IPs spamming connection attempts to certain game servers I've port forwarded via DNAT. I know that when Firewall rule is set to Pass, the packets will automatically be redirected to the destination host (my game servers in this case) regardless of the source IP(s).

Seeing as Rules (new) no longer offers Add associated rule, I tried the new Register rule in place of it. Upon using Inspect mode in the WAN interface, I can see that the automatically generated rule gets placed under the block rule (with alias containing said IPs) I've made. What was odd to me was these automatic rules didn't have a sequence to them, but I'd thought nothing of it. So far, so good.

Then I went over to Log Files -> Live View to watch for packets coming from the offending IPs. For an hour, all I could see were logs with the "rdr" action. This is also fine, because I did enable logging for the respective DNAT rules. However, again that was all I could see. Those IPs went through and attempted connections to my game servers anyway. No signs of packets being blocked.

To confirm my suspicion, I went back to DNAT, switched to Manual for Firewall rule and manually created a "linked" rule in the WAN interface. This time, Inspect shows that the newly created rule indeed gets assigned a sequence. And what do you know, though the packets were redirected, the IPs were successfully blocked this time and I did not see any connection attempts in my game server console.

So my questions then become:
1. Is this the expected behavior?
2. If so, is there a better, proper way to do this?

I'm well aware I could just do Invert Source and put the alias in, but I'd like the observability if possible. This is, after all, a firewall appliance. I don't just want to see packets being redirected and accepted, there's a need to know what AREN'T via a separate block rule.