Throwing myself on the mercy of some kind, sagely souls...
I have a pair of 2925s setup in HA (hot-standby) mode
Dual WANs coming in:
WAN1 - BT using white open reach modem
WAN2 - Virgin Hitron in modem mode
LAN (IPv6) setup to use whichever WAN I choose to favour for addressing (currently using WAN2)
Running dual-stack, BT line is native, Virgin is setup using Hurricane Electric tunnel
All of this is working well, external IPv6 testing sites are happy.
So, I now want to make a Nextcloud device accessible from the internet over IPv6 (I know this will give me some limitations at the moment)
I can access the device correctly using it's FQDN (IPv6) from the LAN side.
I currently have another Nextcloud device setup on the LAN and use IP4/DDNS/NAT to access it, this works fine.
So, I know I need to setup some firewalling around this, but I am hitting a brickwall (poor choice of phrase I know, but...)

Firewall >> General Setup
Call Filter - Enabled - Start Filter Set = Set#1
Data Filter - Enabled - Start Filter Set = Set#2

Enable Strict Security Firewall = Enabled
Block connections initiated from WAN = IPv6 is checked

I have created 2 IPv6 objects as below: (Objects Setting >> IPv6 Object)
Name = "Any_IPv6"
Address Type = Any Address
Match Type = 128 Bits
Mac Address = 00 00 00 00 00 00
Start/End IP Address = both empty
Prefix Length = 0
Invert Selection = not checked

Name = "cloud6"
Address Type = Mac Address
Match Type = 128 Bits
Mac Address = B8 27 EB xx xx xx (Real MAC address of Raspberry Pi)
Start IP Address = The IPv6 address the device has acquired
End IP Address = empty
Prefix Length = 0
Invert Selection = not checked

I want the first IPv6 object to represent ANY IPv6 address coming in, and the second to be the device I want to permit connection to.

I added a rule to allow ICMPv6 in as follows:
Filter Set 2
Added rule "ICMPv6-Allow"
Direction = WAN -> LAN/DMZ etc
Src IP = "Any_IPv6" (to match IPv6 object created above)
Dest IP = Any
Service Type = Protocol 58
Action = Pass Immediately
(syslogging enabled and I can see this working when I test from external sites)

Then I tried to create another rule to allow HTTPS (443) traffic to the IPv6 Nextcloud device as follows:
Additional rule "PI-CLOUD6-EXT"
Direction = WAN -> LAN/DMZ etc
Src IP = "Any_IPv6" (to match IPv6 object created above)
Dest IP = "cloud6" (to match IPv6 object created above)
Service Type = TCP Port from 443 to 443
Action = Pass Immediately
(syslogging enabled and I NEVER see this working when testing - all I see on the external site is that it's not accessible)
(had to cut here and add another post)

(part 2)
I've noticed that as soon as I try and access the device from the external site, my router reboots itself !
Management ports on the router have been changed from 443, and WAN management is disabled
I then checked the SSL VPN settings and found they're also on 443, so moved them to a different port

If I simply uncheck the "Block connections initiated from WAN IPv6", and disable the "PI-CLOUD6-EXT" rule, everything's fine and accessible.

Everything I've been able to find about firewalling with the Draytek seems to be controlling OUTGOING stuff, so I am really struggling to see what I'm doing wrong and would really appreciate some sagely advice please.

Very prepared to be slapped in the face with a wet mullet on this one :?
Thanks in advance
Simon