So I had the idea that the router would default to allowing no incoming connections - because of IoT things and appliances on the LAN which potentially have poor security posture - but that hosts who wanted to run servers could set the no-firewall DHCP user class, and the router would notice this and allow all incoming for them. (This is for IPV6, I have no interest in implementing any v4 port forwarding unless I absolutely have to)

This does feel weirdly like client-side authentication (perhaps because it is?) but right now I'm thinking it's probably OK. The firewall isn't a trust boundary (the LAN is an untrusted network), it's just there to discourage "smart" devices from joining botnets

All that said, getting anything other than a Windows machine to send a dhcp user class is either somewhat involved or significantly impossible.