D'oh. It was obvious really.
The reason I can block it on my machines and not on the edge firewall is because when I add the IP to my firewall it gets added to the OUTPUT as well as the INPUT chains. And since the traffic is not FROM the IP in question but does cause a response to be sent TO it, it gets stopped via the OUTPUT chain.
In the edge firewall, I could have duplicated this by adding the IP to the equivalent to the OUTPUT chain - but I don't normally bother as I'm only interested in stopping incoking traffic.
But now I know better and will add future stuff like this to both