You can also reconfigure the RDP port to something else, I know its security via obscurity but more then likely its only bots and its enough to stop bots.
Your initial approach is the best tho, whitelisting only authorised ip's.
Looking at my zyxel the UI is horrific but I think this is what you need to do.
Goto security.
Then firewall
Then access control
Add new ACL rule
Filter name - Pick a name
Keep source device set to specific ip address
Add your ip in the box below it as source ip
Protocol TCP
destination port 3389
Policy accept
Direction WAN to LAN
Do some testing from another ip to see if its blocked, if it isnt do another rule for deny to the port.
The problem you probably have since zyxel I feel isnt suitable for commercial use, its a very basic router, I feel the UI is one of the worst I have seen on a router, is I expect the NAT rule forwarding the traffic has likely already added an allow rule with source ip set to *. So your custom rule probably wont overide it I expect.
You may well have to do the lockout on the windows firewall which I know you was trying to avoid.
Or get a better device, since you done pfsense at home is it possible to set one up for your work as well? On pfsense you can adjust the auto created rules as you see fit and of course set other rules to override them on the firewall no problem.