Trying to understand nature of "DoS attack: RST Scan" log messages

Things that will get logged, are scans that will look for signs of a closed port (this is used to check if a host is live even if it can't get much info on what is actually using the port.

While it will use some resources, often it is less than 1% load even when you connect the WAN port directly to another PC and do a DOS attack directly to it. The router will not generate a separate log entry for each packet, thus it effectively self regulates to avoid flooding the log file with junk.

If you want the router to give you a nice set of a range of log entries, run this scan on all service ports. https://www.grc.com/shieldsup

Beyond that, many log entries of DOS and other attacks are very common and are simply what many people tend to refer to as internet background radiation. Often from random infected devices, e.g., the person still running windows XP that is still endlessly scanning the entire IPv4 range  looking for systems to spread the sasser worm to, or other junk. Or people who have old IOT devices that never receive security updates and are now endlessly scanning the IPv4 space or even IPv6 space and endlessly running exploit toolkits on every host it finds. Overall, it is a constant thing and there is not much that can be done about it. For example, a 2 minute packet flood at 1Gbps will generate around 7 log entries.

As for destination, they are not really listed for such attacks since they are directed at your WAN IP. Devices behind the NAT are not exposed enough to be directly targeted unless you have a device deliberately exposing itself via port forwarding or UPnP.

PS most security entries with a destination IP are not blocked, and instead are listed for your information. For example, if you have a Verizon Fios DVR, and have the DVR connected to your netgear router using a MoCA to Ethernet bridge, and have the proper ports forwarded, then you will occasionally see entries beginning with "[LAN access from remote]", especially when you are using the remote DVR service to manage recordings.

As for the logging, I feel that they are intentionally kept to a minimum, especially considering that there is far more detail if you capture a debug log via the debug.htm page of the router.

As for using a separate firewall, what makes it through could depend on how it is configured and how it handles established connections, as they have to strike a balance between preventing unrequested traffic, but also allowing connections to be established by any LAN side device when a packet matches the LAN to Any ruleset. Sometimes things can get complex when a device may have other services running on different ports, e.g., if the company wants to grab analytics data or other stuff unrelated to your streaming.

In addition to that, many more advanced firewalls will also default to very permissive rules (unless they have a more security focused setup wizard), where you may have an allow all rule, and then a bunch of specific blocking rules, and things can be a lot more permissive than many default rules of many consumer routers, since the more advanced units focus on giving the user more control.

While normally a response due a LAN client's request will not result in a DOS or other flag in the logs, unrelated traffic from a device that you requested data from can still result in entries. For example, if you do the GRC scan, even though you requested traffic to the page, you did not request specifically each individual scan from that server, thus that traffic will be logged.