Running the wizard does a satisfactory job of adding reasonalbe firewall rules to your WAN interface. The first thing to keep in mind if you're new to ER (or VyOS or Vyatta) is the concept of traffic TO the router (any IP address dynamically or statically assigned to an interface) and traffic THROUGH the router (any other address traversing Internet -> WAN -> LAN (switch0) -> server/pc/phone) or vice versa. So, in the GUI or CLI you should have something like:
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN set interfaces ethernet eth0 firewall in name WAN_IN set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth0 firewall local name WAN_LOCAL
One problem you saw (first post) is a port conflict with your GUI and Synology using port 443. As you noted (second post) you can change the services on the router to listen only on an internal address -- good decision! That's fine unless you need remote access to the router. So, you can also change the port the service uses with 'set service gui https-port' or 'set service ssh port' -- pick something between 1024 and 65000 and adjust your LOCAL firewall accordingly.
As for UPnP, yes, v2 is better, but I still can't recommend that and security at the same time (my opinion). Keep in mind ANYTHING on your network can use that to open ports -- not just the Synology box. I much prefer to use something like Port Forwarding to statically define what can be reached internally from the Internet. Take advantage of the port translation again to use ports other than the well known ones. For instance, that example in the linked doc shows mapping WAN TCP/10443 to LAN TCP/443 for a server. You could pick 1911 or 32019 -- you just have to remember to specify that port in your browser when you access it from the Internet (https://<WAN-IP>:32019/login , for example).
Most folks refer to that as "security through obscurity", but it definitely eliminates 99% of script kiddies scanning your open ports and gives you time to apply patches when new vulnerabilities are discovered. Unfortunately, IKE (UDP/500) and NAT-T (UDP/4500) are hard standards that you'll probably have to live with if you want to use the Synology IPSec VPN. But, your ER-X also supports VPN -- IPSec and OpenVPN so perhaps you can use that instead. YMMV.
Also, if you want to harden internally, you can adapt this Guide to restrict your LAN to LAN traffic.