ONT to Groundstrean 802 that connects to my Gigaset E45,
ONT to Draytek Vigor 2860ac, 

@Versailles que! That's not right, unless you've got a multi port ONT and multiple FTTP connections ?

Your 2860 should be connected to the ONT and make the PPPoE connection. The 802 should then connect to a LAN port on the 2860

I thought, that as it was an external phone service,

Nothing to do with the actual phone service, its the fact that the 802 is connected to the LAN and therefore has a private IP.

Its therefore behind the routers NAT firewall and the voip firewall rules arent needed

Well Christmas is over and back to my little problem.

as @MisterW  and others pointed out "If your phone on private IP addresses (eg 192.168.x.x, 10.x.x.x) then you won't need to set up the firewall as you're not using pubic IP addresses." so I looked at the A&A configuration pages again and am still worried about using NAT as opposed to a firewall, mainly because of:- "

Avoid using NAT where possible.....and .......If NAT works, then well done, but if not we cannot guarantee to be able to make it work."

I also  do not fully understand ".........tell the phone what its public IP address is (either by explicit configuration, or by specifying a STUN server to use - e.g. stun.aa.net.uk), or to use a SIP Application Layer Gateway to rewrite SIP packets on the fly. "

The way I understand the way Firewall rule are executed, is that it executes the rules one a ta time working down the list, so before a "Block All" rule (the last rule in the list), I added a rule allowing traffic through ports 80 & 443, but the phone kept ringing every 10 minutes without anyone on the other end.

Thanks so far

Stu

As I said previously do not confuse outbound and inbound connections through a router

All your private IP Addresses are NAT'ed to your Public IP address regardless of the firewall being OFF or ON.

One of the ports used by the ATA is UDP port 5060, so using a test app I have created an outbound connection for 5060 UDP to voiceless.aa.net.uk using a Ubuntu based system, (Linux) command used nc -zvu 81.187.30.116 5060

udp        0      0 192.168.10.246:35814    81.187.30.116:5060      ESTABLISHED 

So in this example the OUTBOUND UDP connection from my device 192.168.10.246 port 35814 is connecting to 81.187.30.116 (voiceless.aa.net.uk) on port 5060.

So the connection from my pc is local port 35814 to remote port 5050.

voiceless.aa.net.uk connection is from 5060 to local port 35814 which forwarded by the router to my pc on port 35814

It is also important to understand the outbound port is random.

port forward rules are needed to be for any server based application you might be using, in my case a VPN server

Avoid using NAT where possible.....and .......If NAT works, then well done, but if not we cannot guarantee to be able to make it work."

I also  do not fully understand ".........tell the phone what its public IP address is (either by explicit configuration, or by specifying a STUN server to use - e.g. stun.aa.net.uk), or to use a SIP Application Layer Gateway to rewrite SIP packets on the fly. "

@Versailles technically , that's correct as NAT 'breaks' the SIP protocol. When your device registers with the SIP server , it sends its IP address in the register packet so the server knows how to contact it for an incoming call. Of course, when you are behind a NAT router, the IP address in the packet will be a local e.g 192.168.x.x address which will not be reachable from outside your LAN. Traditionally there were methods such as STUN , which allowed the public IP to be used in the register packet, or a SIP ALG which (supposedly) did similar. In reality most SIP ALGs are broken and STUN still required some port forwarding on the router. Now, most SIP servers (including A & As) are 'clever' and ignore the IP address in the register packet and simply use the address/port from which the register packet was received, this of course will be the public IP & port as translated by your NAT router. So in effect, as long as you keep the NAT mapping alive in the router, SIP now 'just works' when behind NAT.  I've used SIP both at home and in the office for over 5 years now with no problems , with at least 3 different providers, all from behind  NAT routers.

As @Dan_the_Van says , you will find it difficult, if not impossible in a home environment to not be behind a NAT router.