Sure, but if I allow this through the WAN interface (as posted above), I can access the router through it's "external" IP in my "real" LAN. This way, I thought I could simply make the whole LAN the "guest" LAN.
So is the firewall setting posted above okay for this (maybe a bit special) setup? If so, why do the DROP rules prevent LAN access to the router's SSH server, but not to it's HTTP server?