Discussion topic: VoIP firewall settings request

I have upgraded to Sky FTTP and OpenReach installed an ONT box to my property. This has allowed me to connect a hardware firewall (Firewalla Purple) to the ONT box to act as a firewall and router (ad-blocker and parental controls all enabled). The Firewalla is connected to a managed switch and the old Sky Hub is connected to the switch to act as a wireless AP and to allow me to connect the landline (router functions disabled). Everything works exactly as it should, apart from the fact that the phone never connects. The light on the hub stays orange. I've contacted Sky support to ask for the relevant ports/service details that I need to enable - but they insist they can't give them to me. So I'm asking here before cracking out wireshark and trying to figure it out the hard way.
SIP and H323 passthrough are already enabled for NAT. And even when I enable 'emergency access' and give all Sky devices on the network direct access to the internet, that light stays orange.
Remove the firewall and put the Sky hub into router mode and the phone works.
Is it possible that the hub is issuing an IP address to the phone internally? And that now I've turned off the router functionality it can't do that?
I'm genuinely stumped!