I have been testing Jon @jon setup from post #65. Looks like it works, both the NTP and DNS preroutes. Thanks for the command in post 96 via Andreas @troll-op. Allowed me to also probe NTP rules. Device 192.168.10.5 is configured to get NTP from firewall 192.168.10.1, but device 192.168.10.151 (which i thought I had manually configured to use the firewall for NTP) is redirected to firewall, at least according to this output:
[NEW] udp 17 30 src=192.168.10.5 dst=192.168.10.1 sport=123 dport=123 [UNREPLIED] src=192.168.10.1 dst=192.168.10.5 sport=123 dport=123
[UPDATE] udp 17 30 src=192.168.10.5 dst=192.168.10.1 sport=123 dport=123 src=192.168.10.1 dst=192.168.10.5 sport=123 dport=123
[NEW] udp 17 30 src=192.168.10.151 dst=137.190.2.4 sport=34816 dport=123 [UNREPLIED] src=192.168.10.1 dst=192.168.10.151 sport=123 dport=34816
[UPDATE] udp 17 30 src=192.168.10.151 dst=137.190.2.4 sport=34816 dport=123 src=192.168.10.1 dst=192.168.10.151 sport=123 dport=34816
So far looking good 
P