Ipv6 prefix delegation network, permitting a port for external access for one address but not others

I have had ipv6 prefix delegation working fine for a while on my VyoS home network gateway.
Currently am permitting high port SSH for “all” on a for ipv6, and just have ssh enabled on that high port for the boxes I want to have access from the outside.

But I would like to just permit another high port X in ipv6 just for one device on the network, rather than permit port X for everything and hope no service on my other devices happens to listen on that port.

Is there a way to specify the permitted destination address reliably, given that it is dynamic due to the prefix delegation?
I have a DNS hostname for this box as I am using a dynamic DNS type service, but I cant specify a DNS name in the “destination … address…” config.

Hello @zogvyos1

If I understood you correctly, you can configure the zone-policy by specifying the ports that will have access.

Here is an example of settings for VyOS:
Zone-Policy example — VyOS 1.2.x (crux) documentation for VyOS 1.2
Zone Policy — VyOS 1.3.x (equuleus) documentation for VyOS 1.3
Zone Policy — VyOS 1.4.x (sagitta) documentation for VyOS 1.4

As for DNS, you can configure the port here if you have a dynamic prefix. Or you can allow access to the ISP IPv6 prefix.