I just set up a filter for myself to Telnet into the router. Here's what I
did, a question afterwards:

source = private
dest = public
packet type = stateful telnet (source port=all, dest port = 23)

source = host = my workstation ip
dest = host = router IP

I thought about making the source a network and specifying the private
network here (192.168.x.0) - I guess that would be OK because no one else
will have the router username and password - agree?

I'm wondering, if I specify it as network, when I'm on the VPN from home,
will I still be able to telnet into the router? I'm not exactly sure if I
look like I'm on the private network, at least enough, for the fitlers to
allow this.

TIA for comments on my thoughts above, anything I may have overlooked, been
too careful about, etc. The filter does work now as designed.