Virgin Media Router Port Forwarding

I'm posting once again about Virgin Media - this time about the port forwarding on the Hitron router we have at work on our connection.

We've been having loads of issues with connectivity that I've posted about elsewhere on here but the current issue is that I've set up port forwarding on the router to allow ssh (not on the ssh port but a higher one) from an IP that is my EC2 instance(/32).

The first thing I realised is that the port forwarding rules don't allow more than one rule to forward traffic to the same internal IP/port (It's actually the WAN interface of an OPNsense box but the router is still in RG mode, not modem mode).

What I'd have liked to have done is add rules to allow SSH on my port number from both my EC2 instance AND my home IP but this isn't possible I guess if I set SSH on OPNsense to listen on two ports I could have achieved it).

Anyway, I decided to just allow traffic from my EC2 instance, as I can connect to that from anywhere.
It works some of the time - although sometimes when I do nmap to the port in question it says 'filtered' and others 'open'

What concerns me greatly is that I get the same from my home IP (and even if I use my phone as a hotspot) - sometimes it doesn't work but other times nmap says the port is 'open' and if I try my ssh connection it works.

I tested with the rule deleted and cannot get in so it's definitely the VM Router's rule that's allowing traffic through - but not filtering like it should).

Anyone else seen this - I've read on VM community forums that people say the port forwarding is flaky but this is downright dangerous and irresponsible for them to have a feature on the router that is so insecure.
I can't understand how this can be - the routers are made by Hitron so surely their routers are subject to the same issues which is absolutely unforgivable.

For those that are wondering, we're ultimately going to be using the VM router in modem mode but for now have to use like this.
The OPNsense box is set to disallow root ssh login, disallow password ssh login and is VLANd from the rest of the network on its LAN interface.

I have OPNsense routers at two sites. The sites are connected to each other by a Wireguard VPN.

I also have a Wireguard VPN client on my Windows laptop. Using the laptop I can access data at either of the above sites. IIRC if I do this when abroad and then try to access th BBC the BBC are not aware that I am abroad.

AIUI this approach is more secure than port forwarding.

Thanks, yes I'd like to use a VPN but in this instance I don't think I'll be keeping the OPNsense box - it's only there to allow me access to monitor the network (and to monitor the internet connection).
Once the connection issues are resolved I'll probably use something different as I shouldn't require remote access.

That said, while the OPNsense box is in place I might have a look at setting up a VPN from my laptop - I've not messed with VPNs for over 10 years and I remember then they could be a PITA to troubleshoot - hopefully things have moved on since and with OPNsense they're not too bad?

D.