OK then, let's start basics.
DiskStation Manager or DSM is accessed by your web browser meaning your device is running a web server which is listening on some TCP/UDP port (by default those are 5000 for HTTP and 5001 for HTTPS access).
You gain entry by either typing:
1. http(s)://local.ip.address.of.your.device: portnumber (usually it is 192.168.x.x) - when the device you are connecting from is in the same network (connected to the same router) as your Diskstation
2. http(s)://some.domain.name: portnumber (i.e. mynas.synology.me or some other DDNS service depends on the provider you are using) - when the device you are connecting from is outside your local network
Both are fine actually but you need to know which port you are using (not a problem) and be sure that the networks are allowing the communication on that port (that could be and usually is an issue, since you do not control other networks).
Since all networks are monitored for one reason or another, using ports that are not well known (those are above 1024) can make the owners suspicious and they can and usually close those, which is why you got the timeout message when connecting via
https://some.domain.name:5001 and when you did contact the ISP they opened the port 5001 for you. What happens when you change your location and try to access from it while on some other network (i.e. public hotspot like that Martian KFC you guys keep referencing to, or some fancy camp in North Korea)?
In order to avoid that, since you already have a LE certificate set up with some DNS name, what do you say to accessing your device by simply putting
https://some.domain.name in your favorite web browser while omitting the port itself? (You are actually saying, ok, just use WELL KNOWN PORT for HTTPS which is surely open on all networks and the number is 443).
If you have trouble understanding any of the above, I would recommend to check how internet works by seeing
this movie. Once you do, it will be easier to understand both what and why you should do something and then move to the tutorial
@Rusty started about
implementing reverse proxy.
You could always go reverse proxy route with LE cert implemented