> To spell that out a bit more - a ULA to NPT address is IP based and not port based and is way more useful.

This is implementation specific: on my Asus I can specify to allow in all ports from in via a NPTv6-ULA hole, a port range, or even a single port.

If I want to only allow tcp/25 in to a particular IP I can do that, if I want 5900-5910 I can do that too, as well as 1-65535.

Well it sounds like your ASUS needs a damn good kicking!

A router moves packets from A->B and a firewall defines what is allowed from A->B.

ULA to NPT is router stuff: NPT literally means "Network Prefix Translation" it turns all your IPv6 addresses into a normalised one and shifts them.

We are not talking about ports or protocols yet, just (IP) addresses.

> Well it sounds like your ASUS needs a damn good kicking!

Why? This is exactly how I want it to work: pass through only the ports (or all the ports) I want/need for the service in question.

It might be that your ASUS is combining two things into one UI for convenience. Mapping one IPv6 prefix on the WAN to another on the LAN is one thing. Allowing traffic to a particular IP:port to cross from WAN to LAN is another. They're independent, though of course both are needed for the overall high-level task of "allow my LAN server to be reachable to the internet", so it makes sense to have a UI that does both things under the hood.