What am I doing wrong with this  Spark router HG659b  compared to the old HG630b

Late last year Spark upgraded my fiber to 300Mbits  down and 100 up.  To get the benefit of this I bought a HG659b  from Trademe  and set up as best I could compared to the 630b.

I also have an old NEC PBX with SIP trunks on 2Talk and a analog vis Spark  Fiber Phone .   With the HG630b I have mapped port 5060 to the PBX IP address.  This has worked fine for the past 5 years but after a couple of ours  my phones started to rung randomly . Looking at the call records coming out of the system the are hacker attempts to reroute out of the system with incoming CLID of such  number as 101, 1001, 501, 601 and a few other randoms.  As these numbers end in  digit 1 which is the common PBX  trunk access code in NZ  the hackers generally have a 1 as the last number.

The port mapping in the HB 659b is quite different from the 630b in that you can only point to a MAC address and set the protocol as SIP  which I have done  but now see these hack attempts.

I change the trunk port to Direct Inward Dial  as apposed to Ring Group  and this stopped calls getting to any on the phones and looking at 2Talks call logs  there have been no hack calls.

The hacker seems to stop about 2.00am and restarts about 3.00pm

Any suggestions??  Thanx

If I have to use the old 630b router  it's not a  biggy as I use  Ethernet over power to get to my PC which tops out at about 95 Mbits  and only the streaming  devices benefit from the new router.