I tried to open my NAS to outside access, with this firewall rule
config rule
option src wan
option proto tcpudp
option dest wan
option dest_port 1:65535
option src_mac 00:11:31:35:ED:D5
option family ipv6
option target ACCEPT
but it does not work and as soon as I remove src_mac it works with
config rule
option src wan
option proto tcp
option dest lan
option dest_port 1:65535
option family ipv6
option target ACCEPT
Is it possible to add a mac address so that only that device is open to the Internet, I dont want to use IPv4 at all since it is constantly scanned by bots.
Why don't you assign it a static IPv6 address and only open those ports that are needed?
Putting a NAS, that likely doesn't have too much hardening and perhaps no firewall, "on" the open Internet is something that I'd recommend strongly against.
(ACCEPT, at least as I understand iptables (I use nftables), is for the local host and it is FORWARD that you need to be working with.)
It's also possible to instead of using a complete IPv6 destination address in the firewall traffic rule use a mask and specify the interface identifier only (::xxxx:xxxx:xxxx:xxxx/::ffff:ffff:ffff:ffff) or the subprefix ID and the interface identifier (for example ::yy:xxxx:xxxx:xxxx:xxxx/::ff:ffff:ffff:ffff:ffff for a /56 prefix).
I think assign a static host part and use the mask idea. Also open only the relevant ports and use a filesharing technique that uses encrypted connections, for example nfs4 with Kerberos and privacy encryption