Firewall? issue

Hello, I'm quite new in OpenWRT community and recently I am experimenting with OpenWRT on NanoPi R5S device. I made custom image compilation using master branch and I start playing with network configuartion. Yesterday I encounter issue I don't understand.

I have two networks LAN (eth1 192.168.0.1) and DMZ (eth2 192.168.6.1), I deleted WAN to simplify problem. Now when I connect my PC to DMZ I get IP assigned: 192.168.6.127. My question is: Why I can still access OpenWRT web interface using LAN IP 192.168.0.1 and ssh to 192.168.0.1 from my DMZ network/zone?! I would expect that this is not possible with my current configuaration when there is no zone forwarding. So when I am in DMZ zone I can access LuCI using 192.168.6.1 and 192.168.0.1 and ssh to router using those both IPs. Why it is like that?

Firewall:

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1a:231c:55bf::/48'

config device
	option name 'eth1'
	option macaddr ':'

config device
	option name 'eth2'
	option macaddr ':'

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'dmz'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

you specifically need to block access from 6.1 to 0.1 on port X and Y.

if you want Luci only to reply at 192.168.0.1, you need to change the uhttpd config, by default, it'll bind to all interfaces.

Your solution will work for sure, but why conceptually it is possible to connect from one network (DMZ) to (LAN) even when there is no zone forwarding rules? I would expect that such operation is impossible as those are 2 separate zones. I would like know why exactly this is allowed in my current setup.

Traffic to the router is categorized as INPUT not FORWARD, as the router is the destination and not a packet forwarder. As mentioned earlier by @frollic the services bind to all IPs and if you need to restrict for some reason the access to the router, you should change the

in the respective zone to DROP/REJECT and allow with a rule only traffic to the desired IP. However it will not make any difference in your case.

But if I am in DMZ network 192.168.6.x why router would even accept request to different network 192.168.0.1? 192.168.0.1 is LAN network with input set to REJECT so I would expect that such rule will prevent any connection from all different networks (like DMZ)

All the IPs of the router, regardless of the interface are INPUT.
INPUT policy is applied to the ingress traffic from an interface.
So when your traffic is coming from DMZ interface, regardless of which router interface it is pointing, it will be accepted.
This is a universal linux behaviour.

I made some more reasearch on it. Looks like behaviour you are describing is called "Directly Connected Networks" routing rules. And as far I understand one of the solutions to achieve port separation (LAN vs DMZ) is to create bridges for both networks? As described in this article in section " Multiple bridged networks".

No, the solution is to reject input from any zones that you don't want to be able to access the router (and then set up any relevant rules for traffic that does need to go to the router, e.g. DHCP and DNS). As you have previously been advised by others.