network – OpenWrt firewall mystery

I have my home network divided in multiple VLANs, with a main router running OpenWrt forwarding between VLANs, where each VLAN equals a firewall zone. Zone wan hosts the Internet router.

Firewall zone settings in Luci are:

  • default input=ACCEPT output=ACCEPT forward=REJECT
  • private->guest,nas,offsite,wan input=ACCEPT output=ACCEPT forward=REJECT
  • nas->offsite input=ACCEPT output=ACCEPT forward=REJECT
  • offsite->NIL input=ACCEPT output=ACCEPT forward=REJECT
  • guest->wan input=ACCEPT output=ACCEPT forward=REJECT
  • wan->NIL input=REJECT output=ACCEPT forward=REJECT MASQUERADING

Now, I have configured Luci’s uhttpd to ONLY listen to the router’s external IP address (192.168.2.1) in the private zone (uci delete uhttpd.main.listen_https; uci set uhttpd.main.listen_http=192.168.2.1:80; uci commit; /etc/init.d/uhttpd restart).

Why can I still access 192.168.2.1, and thereby Luci, from a computer (e.g. 192.168.5.200) located for instance in the guest zone? I was expecting there to be no forwarding from guest->private, but it seems the input=ACCEPT of the guest zone makes the router accept the package addressed to him even the detination IP address is in the private zone.

Is that really intentional?

Kind regards, Sebastian