If you are running un-patched version and you allow DDNS through your Firewall and hackers own your machine - they can possibly own other machines on the network.
Your role is to limit the surface of attack:
- limit countries that can connect
- limit IP's that can connect
- set timing on firewall open / close ports (pfsense can open / close ports by schedule)
- set ports that are not standard for synology (not 5000 / 5001)
- set IP blocking for brute-force attacks (limit how many failed logins can happen from 1 ip address)
- put your Synology on a separate from network VLAN
The smaller the surface of the attack the better your chances are to stay safe.
Definitely upgrade your Xpe if you are a few versions behind.