DMZ: no working access to WAN + no access from LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,
My router has 3 interfaces, and I have created 3 networks:
WAN
LAN
DMZ

I didn't modify the "automatically deployed" settings for WAN and LAN.
And there are no issues with these networks, means I have internet access from LAN; DHCP and DNS (using Stubby | DNS over TLS) services are working.

However, network DMZ is not working as expected. This means only DHCP and DNS services are working. Connecting to the internet fails with this error:
Connection refused. Cannot initiate the connection.

Furthermore I cannot ping any client in DMZ from LAN, consequently SSH to any client in DMZ is not working.

This is my network config of LAN and DMZ:

config interface 'lan'
	option proto 'static'
	option ip6assign '64'
	option device 'lan2'
	option force_link '0'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option proto 'static'
	option ip6assign '64'
	option device 'lan4'
	option force_link '0'
	option ipaddr '172.16.9.1'
	option netmask '255.255.255.0'

And this is the current firewall config:

package firewall

config include
	option path '/etc/firewall.user'
	option reload '1'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'

config zone
	option name 'dmz'
	option network 'dmz'
	option output 'ACCEPT'
	option log '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config redirect
	option name 'DMZ: Allow forward to WAN HTTP'
	option src 'dmz'
	option src_dport '80'
	option dest 'wan'
	option dest_port '80'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'DMZ: Allow forward to WAN HTTPS'
	option src 'dmz'
	option src_dport '443'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp'
	option target 'DNAT'

The firewall rules are obviously loose; before tighten firewall rules I want to ensure DMZ is working.

Can you please advise how to troubleshoot this issue?