@dragonsidedd@rail_ fair enough yea. you can have a network-wide firewall without nat as well which is more idiomatic and avoids introducing the nat problems
and afaik most routers with ipv6 support do just that by default since not having a networkwide firewall after 25 years of everything having one would indeed be a bad idea
also its usually configured through the same “port forwarding” interface, which annoys me to no end