Dawnsinger: With IPv4 you had to have NAT, which auto-shielded everything unless it's configured to properly forward it, so you are fully isolated unless explicitly configured otherwise (and even then it hits ony device only).
Gede: I see that you deposit a lot of trust on your routers. I am using the device my ISP provided me, which I'm convinced to be the cheapest model they were able to get that matched their specification.
The configuration UI shows lots of fancy useless features but it does not allow me to forward a port range! I am not convinced their focus was well placed.
I may get another router behind this machine to create another road block in case of intrusion. Sadly, I don't have much knowledge or time for such a project done right.
And you're fully correct on that assumption: it usually is the cheapest and most low-spec model the manufacturer offers, sometimes they don't even offer that model to the general public at all (many providers provide you with choice though: premium router for an added monthly fee). Yet, that cheapness does not take away the inherent "roadblock" benefit that NAT gives, whereas it indirectly is important when it comes to IPv6: the manufacturer needs to provide good and long-term security support for this model. Feature-wise or technical superiority means nothing if the manufacturer won't fix security issues, and some stop supporting the previous lineup as soon as there's a new one. Luckily, the provider itself also has a mild interest in keeping your routers secure, not only for reputation but also because they have to pay for outgoing traffic, so if their routers become attack bots, their revenue goes down, so you're more likely to get a new router than being left with an unpatched one (if it's a provider-provided router). Obviously, that depends on the state and mindset the provider is in.
The use of a RasPi as a dedicated firewall Shmacky-McNuts mentioned will indeed go a long way regarding the misconfigured router firewall. It also helps in case the router itself becomes compromised. With IPv4, I feel it's not all that important, but when IPv6 can't be avoided anymore, I'll likely do that. I'm certain there's at least one specialized Linux or BSD distro for exactly that purpose, but of course it's yet another device that needs updates, and electricity and could fail. Plus, when adding firewall rules, you have then three firewalls to reconfigure: router, RasPi and desktop.
Anyway, your port forwarding page missing is not because of router cheapness, but because of either:
1) you're on some kind of CGNAT, which is a NAT done on the providers side just as you'd normally do on your end if your provider has enough IPv4 addresses (many younger providers don't: they were late to the party and the pool was exhausted already (that's the whole reason of IPv6's existance)). You cannot port forward behind a CGNAT, so that config page is not shown in that case.
2) you're on an exclusively IPv6 line: there is no port forwarding in IPv6, only blocking, allowing and passing through of ports in the firewall rules. But that situation is unlikely.
3) Also, many providers remote manage your router, especially cable providers, so that
may also block PF (though it's not for technical reasons)
I'd bet on 1), anyway.
