PFBlockerNG - want to allow country but also SIP provider on static IP

fusionp

Hi all, I've got some questions regarding pfblocker. I've checked out the youtube tuts and the wiki, but still need some guidance here.

I have a class C public block of IP's, I have these set via VIP's on my WAN, I'm currently doing a 1:1 NAT for my SIP from my voip provider 3.3.3.3 to my WAN 2.2.2.2, I also have UDP(range) and SIP ports open to the public on 2.2.2.2. The 1:1 and port forwarding are going to my private SIP 1.1.1.1.

I would now like to add my country as a geo-location on pfblocker, so only allow my country, but still want the 1:1 NAT and port forwarding rules plus my voip providers IP(not hosted in my country) to take affect.

Does that make sense?
So anyone in my country plus one external to my country IP to have access to 2.2.2.2….as specified by my current 1:1 rules and port forwarding.

I'm confused by the "custom destination in "advanced inbound rule" where it says "Click Here to add/edit Aliases Do not manually enter Addresses(es)."

Does this mean as I read it that I must create an Alias for my public IP 2.2.2.2 or must I create this for my internal IP 1.1.1.1?
Must I create the "list action" as "alias permit" or "alias native"? And will this still take into account my 1:1 NAT and UDP port forwards I currently have open to the world and then just suppress access for IP's originating in my country?

Which is what I want, so effectively I have:

2.2.2.2 > 1:1 NAT > 1.1.1.1
SIP port forward on 2.2.2.2 to 1.1.1.1.
UDP range port forward on 2.2.2.2 to 1.1.1.1

I want this to remain but with the exception of adding
3.3.3.3 >SIP port forward on 2.2.2.2 to 1.1.1.1
And then denying anything else outside of my country

Net result
3.3.3.3 >SIP port forward on 2.2.2.2 to 1.1.1.1
3.3.3.3 >UDP range port forward on 2.2.2.2 to 1.1.1.1
My-Country > SIP port forward on 2.2.2.2 to 1.1.1.1.
My-Country > UDP range port forward on 2.2.2.2 to 1.1.1.1.

Any help or inkling appreciated!