Restricting TURN server from only CF IPs, but all traffic to the TURN server seems to be dropped

Where should I be setting that rule? Currently, the TURN server is proxied by Cloudflare Spectrum for UDP. You can see the Firewall rule as coturn.

Config:

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        ipv6-network-group cf-ipv6 {
            network xxxx:xxxx::/32
            network xxxx:xxxx::/32
            network xxxx:xxxx::/32
            network xxxx:xxxx::/32
            network xxxx:xxxx::/32
            network xxxx:xxxx::/29
            network xxxx:xxxx::/32
        }
        network-group cf-ipv4 {
            network xxx.xxx.48.0/20
            network xxx.xxx.244.0/22
            network xxx.xxx.200.0/22
            network xxx.xxx.4.0/22
            network xxx.xxx.64.0/18
            network xxx.xxx.192.0/18
            network xxx.xxx.240.0/20
            network xxx.xxx.96.0/20
            network xxx.xxx.240.0/22
            network xxx.xxx.128.0/17
            network xxx.xxx.0.0/15
            network xxx.xxx.0.0/13
            network xxx.xxx.0.0/14
            network xxx.xxx.0.0/13
            network xxx.xxx.72.0/22
        }
    }
    ipv6-name EXTERNAL-IN-v6 {
        default-action drop
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            destination {
                port 80,443
            }
            log enable
            protocol tcp_udp
            source {
                group {
                    network-group cf-ipv6
                }
            }
            state {
                new enable
            }
        }
    }
    ipv6-name EXTERNAL-LOCAL-v6 {
        default-action drop
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmpv6 {
                type echo-request
            }
            log enable
            protocol icmpv6
            state {
                new enable
            }
        }
        rule 30 {
            action drop
            description ssh
            destination {
                port 22
            }
            log enable
            protocol tcp
            recent {
                count 15
                time 60
            }
            state {
                new enable
            }
        }
        rule 31 {
            action accept
            destination {
                port 22
            }
            log enable
            protocol tcp
            state {
                new enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name EXTERNAL-IN {
        default-action drop
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description servarr-vlan200
            destination {
                address xxx.xxx.71.2
                port 80,443
            }
            log enable
            protocol tcp_udp
            source {
                group {
                    network-group cf-ipv4
                }
            }
            state {
                new enable
            }
        }
        rule 21 {
            action drop
            description bind-vlan200
            destination {
                address xxx.xxx.71.2
                port 5053
            }
            log enable
            protocol tcp_udp
            recent {
                count 100
                time 60
            }
            state {
                new enable
            }
        }
        rule 22 {
            action accept
            description bind-vlan200
            destination {
                address xxx.xxx.71.2
                port 5053
            }
            log enable
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 30 {
            action accept
            description kvm
            destination {
                address xxx.xxx.69.6
                port 80,443
            }
            log enable
            protocol tcp_udp
            source {
                group {
                    network-group cf-ipv4
                }
            }
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            description coturn-servarr
            destination {
                address xxx.xxx.71.2
                port 3478,5349,49152-65535
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
    name EXTERNAL-LOCAL {
        default-action drop
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            log enable
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action drop
            description ssh
            destination {
                port 22
            }
            log enable
            protocol tcp
            recent {
                count 15
                time 60
            }
            state {
                new enable
            }
        }
        rule 31 {
            action accept
            destination {
                port 22
            }
            log enable
            protocol tcp
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            description magic-wan
            log enable
            protocol gre
            source {
                group {
                    network-group cf-ipv4
                }
            }
        }
        rule 50 {
            action accept
            icmp {
                type-name echo-reply
            }
            log enable
            protocol icmp
        }
    }
    name VLAN-100 {
        default-action accept
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Printer access"
            destination {
                address xxx.xxx.69.12
            }
        }
        rule 30 {
            action accept
            description "Pihole DNS"
            destination {
                address xxx.xxx.69.7
                port 53
            }
            protocol tcp_udp
        }
        rule 50 {
            action drop
            description "Restrict Access to INTERNAL1 network"
            destination {
                address xxx.xxx.69.0/24
            }
        }
        rule 51 {
            action drop
            description "Restrict Access to VLAN200 network"
            destination {
                address xxx.xxx.71.0/24
            }
        }
    }
    name VLAN-200 {
        default-action accept
        enable-default-log
        rule 10 {
            action accept
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Printer access"
            destination {
                address xxx.xxx.69.12
            }
            source {
                address xxx.xxx.71.2
            }
        }
        rule 30 {
            action accept
            description "Pihole DNS"
            destination {
                address xxx.xxx.69.7
                port 53
            }
            protocol tcp_udp
        }
        rule 31 {
            action accept
            description "Pi Prometheus"
            destination {
                address xxx.xxx.69.7
                port 9100
            }
            protocol tcp_udp
            source {
                address xxx.xxx.71.2
            }
        }
        rule 32 {
            action accept
            description "Vyos Prometheus"
            destination {
                address xxx.xxx.69.1
                port 9100
            }
            protocol tcp_udp
            source {
                address xxx.xxx.71.2
            }
        }
        rule 33 {
            action accept
            description "Unbound DNS"
            destination {
                address xxx.xxx.71.2
                port 5054
            }
            protocol tcp_udp
            source {
                address xxx.xxx.69.7
            }
        }
        rule 40 {
            action accept
            description servarr
            destination {
                address xxx.xxx.71.2
                port 80,443,53
            }
            protocol tcp_udp
        }
        rule 41 {
            action accept
            description coturn
            destination {
                address xxx.xxx.71.2
                port 3478,5349,49152-65535
            }
            protocol udp
        }
        rule 42 {
            action accept
            description "ERFI1 Access"
            destination {
                address xxx.xxx.69.3
            }
            source {
                address xxx.xxx.71.2
            }
        }
        rule 50 {
            action drop
            description "Restrict Access to INTERNAL1 network"
            destination {
                address xxx.xxx.69.0/24
            }
        }
        rule 51 {
            action drop
            description "Restrict Access to VLAN100 network"
            destination {
                address xxx.xxx.70.0/24
            }
        }
    }
    options {
        interface tun0 {
            adjust-mss 1436
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description EXTERNAL1
        duplex auto
        firewall {
            in {
                ipv6-name EXTERNAL-IN-v6
                name EXTERNAL-IN
            }
            local {
                ipv6-name EXTERNAL-LOCAL-v6
                name EXTERNAL-LOCAL
            }
        }
        hw-id xx:xx:xx:xx:xx:12
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description EXTERNAL2
        duplex auto
        firewall {
            in {
                ipv6-name EXTERNAL-IN-v6
                name EXTERNAL-IN
            }
            local {
                ipv6-name EXTERNAL-LOCAL-v6
                name EXTERNAL-LOCAL
            }
        }
        hw-id xx:xx:xx:xx:xx:13
        speed auto
    }
    ethernet eth2 {
        address xxx.xxx.69.1/24
        description INTERNAL1
        duplex auto
        hw-id xx:xx:xx:xx:xx:14
        ip {
            arp-cache-timeout 30
        }
        speed auto
        vif 100 {
            address xxx.xxx.70.1/24
            description asus
            firewall {
                in {
                    name VLAN-100
                }
            }
        }
        vif 200 {
            address xxx.xxx.71.1/24
            description servarr
            firewall {
                in {
                    name VLAN-200
                }
            }
        }
    }
    ethernet eth3 {
        address xxx.xxx.73.1/24
        description INTERNAL2
        duplex auto
        hw-id xx:xx:xx:xx:xx:15
        speed auto
    }
    loopback lo {
    }
    tunnel tun0 {
        address xxx.xxx.72.20/31
        description magic-wan
        encapsulation gre
        mtu 1476
        remote xxx.xxx.66.5
        source-address xxx.xxx.189.102
    }
}
load-balancing {
    wan {
        flush-connections
        interface-health eth0 {
            failure-count 2
            nexthop dhcp
            success-count 1
            test 10 {
                resp-time 5
                target xxx.xxx.8.8
                ttl-limit 1
                type ping
            }
            test 20 {
                resp-time 5
                target xxx.xxx.1.1
                ttl-limit 1
                type ping
            }
        }
        interface-health eth1 {
            failure-count 2
            nexthop dhcp
            success-count 1
            test 10 {
                resp-time 5
                target xxx.xxx.8.8
                ttl-limit 1
                type ping
            }
            test 20 {
                resp-time 5
                target xxx.xxx.1.1
                ttl-limit 1
                type ping
            }
        }
        interface-health tun0 {
            failure-count 1
            nexthop xxx.xxx.72.21
            success-count 1
            test 10 {
                resp-time 5
                target xxx.xxx.72.21
                ttl-limit 1
            }
        }
        rule 10 {
            description vlan100-exclusion-eth2
            destination {
                address xxx.xxx.69.1/24
            }
            exclude
            inbound-interface eth2.100
            protocol all
        }
        rule 11 {
            description vlan200-exclusion-eth2
            destination {
                address xxx.xxx.69.1/24
            }
            exclude
            inbound-interface eth2.200
            protocol all
        }
        rule 12 {
            description eth2-exclusion-vlan100
            destination {
                address xxx.xxx.70.1/24
            }
            exclude
            inbound-interface eth2
            protocol all
        }
        rule 13 {
            description eth2-exclusion-vlan200
            destination {
                address xxx.xxx.71.1/24
            }
            exclude
            inbound-interface eth2
            protocol all
        }
        rule 20 {
            description tun0-exclusion-vlan100
            destination {
                address xxx.xxx.70.1/24
            }
            exclude
            inbound-interface tun0
            protocol all
        }
        rule 21 {
            description tun0-exclusion-vlan200
            destination {
                address xxx.xxx.71.1/24
            }
            exclude
            inbound-interface tun0
            protocol all
        }
        rule 22 {
            description tun0-exclusion-eth2
            destination {
                address xxx.xxx.69.1/24
            }
            exclude
            inbound-interface tun0
            protocol all
        }
        rule 23 {
            description vlan100-exclusion-tun0
            destination {
                address xxx.xxx.72.20/31
            }
            exclude
            inbound-interface eth2.100
            protocol all
        }
        rule 24 {
            description vlan200-exclusion-tun0
            destination {
                address xxx.xxx.72.20/31
            }
            exclude
            inbound-interface eth2.200
            protocol all
        }
        rule 25 {
            description eth2-exclusion-tun0
            destination {
                address xxx.xxx.72.20/31
            }
            exclude
            inbound-interface eth2
            protocol all
        }
        rule 30 {
            failover
            inbound-interface tun0
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        rule 31 {
            failover
            inbound-interface eth2.100
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        rule 32 {
            failover
            inbound-interface eth2.200
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        rule 33 {
            failover
            inbound-interface eth2
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        sticky-connections {
            inbound
        }
    }
}
nat {
    destination {
        rule 10 {
            description servarr-vlan200-eth0
            destination {
                port 80,443
            }
            inbound-interface eth0
            log enable
            protocol tcp_udp
            translation {
                address xxx.xxx.71.2
            }
        }
        rule 11 {
            description bind-vlan200-eth0
            destination {
                port 5053
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address xxx.xxx.71.2
                port 5053
            }
        }
        rule 12 {
            description coturn-vlan200-eth0-3478
            destination {
                port 3478
            }
            inbound-interface eth0
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 3478
            }
        }
        rule 13 {
            description coturn-vlan200-eth0-5349
            destination {
                port 5349
            }
            inbound-interface eth0
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 5349
            }
        }
        rule 14 {
            description coturn-vlan200-eth0-relay
            destination {
                port 49152-65535
            }
            inbound-interface eth0
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 49152-65535
            }
        }
        rule 20 {
            description servarr-vlan200-eth1
            destination {
                port 80,443
            }
            inbound-interface eth1
            log enable
            protocol tcp_udp
            translation {
                address xxx.xxx.71.2
            }
        }
        rule 21 {
            description bind-vlan200-eth1
            destination {
                port 5053
            }
            inbound-interface eth1
            protocol tcp_udp
            translation {
                address xxx.xxx.71.2
                port 5053
            }
        }
        rule 22 {
            description coturn-vlan200-eth1-3478
            destination {
                port 3478
            }
            inbound-interface eth1
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 3478
            }
        }
        rule 23 {
            description coturn-vlan200-eth1-5349
            destination {
                port 5349
            }
            inbound-interface eth1
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 5349
            }
        }
        rule 24 {
            description coturn-vlan200-eth1-relay
            destination {
                port 49152-65535
            }
            inbound-interface eth1
            log enable
            protocol udp
            translation {
                address xxx.xxx.71.2
                port 49152-65535
            }
        }
        rule 30 {
            description kvm-eth0
            destination {
                port 2053
            }
            inbound-interface eth0
            log enable
            protocol tcp_udp
            translation {
                address xxx.xxx.69.6
                port 443
            }
        }
        rule 40 {
            description kvm-eth1
            destination {
                port 2053
            }
            inbound-interface eth1
            log enable
            protocol tcp_udp
            translation {
                address xxx.xxx.69.6
                port 443
            }
        }
    }
    source {
        rule 100 {
            description eth0
            log enable
            outbound-interface eth0
            source {
                address xxx.xxx.0.0/16
            }
            translation {
                address masquerade
            }
        }
        rule 200 {
            description eth1
            log enable
            outbound-interface eth1
            source {
                address xxx.xxx.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
policy {
    route magic-wan {
        enable-default-log
        rule 100 {
            description magic-wan
            destination {
                port 80,443
            }
            log enable
            protocol tcp_udp
            set {
                table 100
            }
            source {
                address xxx.xxx.71.3
            }
        }
    }
}
protocols {
    static {
        table 100 {
            route xxx.xxx.0.0/0 {
                next-hop xxx.xxx.72.21 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name xxxxxx {
            subnet xxx.xxx.69.0/24 {
                default-router xxx.xxx.69.1
                domain-name xxxxxx
                lease 300
                name-server xxx.xxx.69.7
                name-server xxx.xxx.69.1
                name-server xxx.xxx.1.1
                range 0 {
                    start xxx.xxx.69.2
                    stop xxx.xxx.69.254
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.69.3
                    mac-address xx:xx:xx:xx:xx:b6
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.69.6
                    mac-address xx:xx:xx:xx:xx:33
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.69.7
                    mac-address xx:xx:xx:xx:xx:64
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.69.4
                    mac-address xx:xx:xx:xx:xx:28
                }
            }
        }
        shared-network-name xxxxxx {
            subnet xxx.xxx.73.0/24 {
                default-router xxx.xxx.73.1
                domain-name xxxxxx
                lease 300
                name-server xxx.xxx.69.7
                name-server xxx.xxx.73.1
                name-server xxx.xxx.1.1
                range 0 {
                    start xxx.xxx.73.2
                    stop xxx.xxx.73.254
                }
            }
        }
        shared-network-name xxxxxx {
            subnet xxx.xxx.70.0/24 {
                default-router xxx.xxx.70.1
                domain-name xxxxxx
                lease 300
                name-server xxx.xxx.69.7
                name-server xxx.xxx.70.1
                name-server xxx.xxx.1.1
                range 0 {
                    start xxx.xxx.70.2
                    stop xxx.xxx.70.254
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.70.2
                    mac-address xx:xx:xx:xx:xx:d8
                }
            }
        }
        shared-network-name xxxxxx {
            subnet xxx.xxx.71.0/24 {
                default-router xxx.xxx.71.1
                domain-name xxxxxx
                lease 300
                name-server xxx.xxx.69.7
                name-server xxx.xxx.71.1
                name-server xxx.xxx.1.1
                range 0 {
                    start xxx.xxx.71.2
                    stop xxx.xxx.71.254
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.71.4
                    mac-address xx:xx:xx:xx:xx:53
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.71.2
                    mac-address xx:xx:xx:xx:xx:07
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.71.3
                    mac-address xx:xx:xx:xx:xx:c9
                }
                static-mapping xxxxxx {
                    ip-address xxx.xxx.71.5
                    mac-address xx:xx:xx:xx:xx:1c
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from xxx.xxx.0.0/16
            cache-size 0
            listen-address xxx.xxx.69.1
            listen-address xxx.xxx.70.1
            listen-address xxx.xxx.71.1
            listen-address xxx.xxx.73.1
        }
    }
    ssh {
        disable-password-authentication
        loglevel verbose
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ecdsa-sha2-nistp256
                }
            }
        }
    }
    name-server xxx.xxx.71.2
    name-server xxx.xxx.69.7
    name-server xxx.xxx.1.1
    name-server xxx.xxx.8.8
    ntp {
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    static-host-mapping {
        host-name xxxxxx {
            inet xxx.xxx.70.2
        }
        host-name xxxxxx {
            inet xxx.xxx.69.3
        }
        host-name xxxxxx {
            inet xxx.xxx.69.6
        }
        host-name xxxxxx {
            inet xxx.xxx.69.7
        }
        host-name xxxxxx {
            inet xxx.xxx.69.1
        }
        host-name xxxxxx {
            inet xxx.xxx.71.4
        }
        host-name xxxxxx {
            inet xxx.xxx.71.2
        }
        host-name xxxxxx {
            inet xxx.xxx.69.4
        }
        host-name xxxxxx {
            inet xxx.xxx.71.3
        }
        host-name xxxxxx {
            inet xxx.xxx.71.5
        }
    }
    sysctl {
        custom net.ipv4.conf.all.accept_local {
            value 1
        }
    }
    syslog {
        global {
            facility all {
                level all
            }
            facility protocols {
                level all
            }
        }
    }
    time-zone Asia/Singapore
}