Strange Suricata blocks

So for the last few days, I’ve been getting some strange things on my Suricata alerts/blocks. I did a whois and it goes back to China Unicom. The odd part is the ip addresses being used and why are they showing up on my firewall, please see attached screen shot. It appears they are using 1 subnet to connect to another subnet, but bouncing it off my firewall???

Now here is the other oddity:

My firewall is already behind NAT at the college (10.111.xx.xx) so the second firewall deep. Trying to understand how this is happening and what it is doing.