The only "firewalling" (which they refer to as IP filtering) on the router is the option to route packets to the internal network (i.e. my /29 subnet). If I switch it off, it doesn't route anything at all (despite the routes being in the routing table) - and yes, I was also confused that this was only enabled within the IP filtering rules - so much so that it took a call to tech support to get the router to function as one, rather than a NAT gateway, bridge, or simply a doorstop! The only way to allow packets into and out of the subnet is to have a rule in place allowing it, otherwise all traffic is blocked, even with the firewall switched off (well, the filter table empty, which is as close as it will allow), despite routes being in place in the routing table! No other rules are in place, so no real firewalling is happening - all packets for my subnet are simply passed on to the relevant device behind the router, anything from inside that is bound for anywhere else gets thrown up the wire (and fibre, once it gets to the cabinet in the street) to my ISP to sort out! Of course, if it isn't supposed to be coming to my subnet it shouldn't be arriving at the router on the external (VDSL) interface at all, but that is for my ISP to manage!
Bizarre, I know, but that is how the software on it works (or doesn't, if the Chinese are hammering it with NTP requests)!
It appears to me that some Chinese DNS servers cache DNS lookups to the pool, and only regard a pool record as stale if the site becomes unreachable, at which point they look for another victim. Of course, this caching breaks the load balancing of the pool!
What I've seen is that following my addition to the CN zone in an attempt to kickstart it, it took a short while before my IP happened to get handed to their DNS, at which point everyone using that DNS server in China started beating on my IP address asking for the correct time! This knocked my router (and whole subnet) offline until the pool saw that I'd gone, removed me as my score was below 10 (it used to be pegged at 20) and the Chinese gave up and asked for another IP address. Then my network recovered, and ran fine, until whatever random time after reaching a score of 10 my IP address happened to get handed to them again. Rinse and repeat. Going by another thread on here, I'm not the first to suffer from this, which tends to confirm that it is not a problem with my setup (which was working fine until I volunteered to join the CN zone to bootstrap it, I think we may be finding out why it needed bootstrapping in the first place!
Of course, it may only be a subset of the DNS servers in China which are behaving in this way, but it seems to be quite enough to cause a problem, and is probably the reason for so few NTP servers being in the CN zone, relative to the size and population of the country - this DNS caching keeps knocking them over, so it's only with the aid of some rate limiting filter that any NTP server can survive in the CN zone.