You are correct in that remote devices such as mobile phones will present a challenge. They may use Wi-Fi or cellular or even have an ISP that will only allow DHCP rather than static.
ACL is typically referred to as an “Access Control List”. The following offers a pretty good explanation of an ACL and Firewall.
I use the firewall and can set rules that will examine the packet and allow me to allow or deny access. The issue of course is that denying is based upon IP. So, you have to know, create or find out what IPs may be involved or, create a VPN solution. In the US, I can generally determine the IP ranges in use by many of the celllar carriers and can add these into my rules. While it may allow someone to still try and hack, not many will do so using cellular, but the risk is there.
The bottom line is that if possible, use a VPN, if not then find out and try and filter as much as possible to minimize the risk and then monitor to assess the vulnerabilities and close what you can.