How to make Synology Reachable on LAN Only

I lately had a dilemma: what is the silver bullet to stop this problem from happening?

DMZ is the solution

I have already disabled the admin account and changed the SSH port. The brute force attack has since diminished but is not gone away.

I need SSH enabled because I work with Docker.

The root cause was that I had whitelisted the IP address of the Synology on my router DMZ in order to reach it from outside my LAN:

Once I turned that on my Synology was reachable only from within my LAN network.

And now yes, I can still use SSH to connect to Docker and other VMs but only within the LAN.

The brute force attack are gone for good.