> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).

The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.

And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:

    A typical IPv4 NAT deployment by default blocks all incoming
    connections.  Opening of ports is typically allowed using a Universal
    Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some
    other firewall control protocol.

and the other (§4.5) to tunnelling:

    S-3:  If the IPv6 CE router firewall is configured to filter incoming
          tunneled data, the firewall SHOULD provide the capability to
          filter decapsulated packets from a tunnel.

I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.