If your setup supports tagged VLAN’s so you can add multiple VLAN to one port you could make your HA a member of the VLAN as well, bypassing any router/firewall ports. See here for example:
After creating the virtual interface, you can manage it from the HA gui.
You don’t need mDNS by the way, but if you don’t you need to be able to add local DNS records. By switching to ping for status and adding a “domain:” clause to the wifi settings, ESPHome will do the lookup based on normal DNS.