Default firewall rules: Rejected forwarding not logged

Running OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-22.025.79177-4ec18ec on my WRT1900ACS does by default not log rejected forwarded packages.

I have a few firewall zones and corresponding interfaces connected to them,
and on zone wifi all but explicitly allowed forwards to zone lan are rejected.

There's the default rule chain in zone_wifi_forward, which forwards all not accepted pacakges to zone_wifi_dest_REJECT

This works for example, when I try to ping my router via wifi, I see the packet count on the logging and reject rule in zone_wifi_dest_REJECT go up,
the corresponding messages appear in my syslog - all fine.

But if I want to access another machine in another subnet, say lan - nothing is forwarded, nothing is logged.
I've found the reason to be zone_wifi_dest_REJECT only applies to packets that are destined for the wifi interface, in my case br-lan.150
(I've got some VLAN running, the br-lan.150 is my wifi interface)
Packets originating from the wifi interface do not match the logging rule and fall to the default reject rule without notice.

Adding a rule to log all packets originating from the wifi interface like this:

iptables -t filter -A zone_wifi_dest_REJECT -i br-lan.150 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wifi forward: "
iptables -t filter -A zone_wifi_dest_DROP -i br-lan.150 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "DROP wifi forward: "

does the trick and puts packets in my log, which were supposed to be forwarded but rejected or dropped.

There's some issue to it, as the rules apply fine when manually restarting the firewall, but not on boot.
I've read some about it on the forums and have circumvented it by just restarting the firewall via local.d startup after a 60-second delay.

Is there a reason to such rule not being in place by default?
I am by no means experienced in professional networking, so my question may be a little basic or even stupid to anybody more involved in networks, but I hope for some enlightenment.

Thank you very much for any insights you can provide :slight_smile: