I’ve both a DS1520+ and RT2600ac, running as my main devices. Not sure about the compatibility list but then I don’t have UPNP enabled on the router so no LAN devices can configure it.
I believe the compatibility list relates to the ability to use UPNP to configure routers and that’s a daft thing to do. Best is to manage your router’s security policy yourself. The last thing you want is a badly built IOT device trashing your policy, or a malware doing the same.
The best advice I can think of is to try to mimic your current LAN configuration on the RT2600ac and then switchover the routers. I usually will connect a Mac direct to a new router to configure it, before connecting the router to the home LAN. Once configured remove the current router and wire in the new one, and hopefully it will pretty much work.
As for the router's firewall and port forwarding:
The firewall policy rules are applied from the top of the list to bottom. Once a match has been made the action is applied and lower rules are ignored.
Port forwarding rules will, as default, create corresponding firewall rules. These will be to allow any TCP/UDP connections from any source IP to use the forwarded port. You can opt to switch off automatic firewall rules for forwarders and create more restrictive firewall rules. You can start with the automatic rules and later replace them with your own more restrictive rules then disable the automatic feature.
Remember to set the bottom four rule to deny.
The DSM firewall can create it's own rules to allow access for the packages you are running, if you normally use it or not this feature will show you what ports you need to port forward if you want to allow inbound connections from the Internet.
For VPN server services, my personal preference is to use VPN Plus on SRM rather than VPN Server on DSM: do the network and remote access on the router and the storage and file services on the NAS. So I don't have standard user accounts on SRM, I run LDAP Server on DSM with a group of user accounts for SRM's remote access. Then only allow LDAP users to have minimal access to the NAS, e.g. to access the portal for password changing. This is more cumbersome but I'd rather not have users accessing SRM's web portal.
Don't forget that Synology has made VPN Plus licences free.