The ESSID is OpenWrt_Guest
It has its own network "guest" with its own ip range "192.168.3.0/24"
Unlike my normal wifi, the guest wifi is not part of the network "lan".
In addition to that I also restricted the ssh interface to "lan":
→ System → Administration → SSH Access → Interface: "lan"
(saved and rebootet)
For some reason I can still access openwrt via ssh over my guest wifi "OpenWrt_Guest".
How is that possible?
If it is a kind of bug, I would see it as a security risk.
I think you need to use the real kernel name br-lan not lan for that to work.
But this is generally not how it is done. The server can run its default of listening on all interfaces, but the firewall rejects incoming connections from un-privileged interfaces. That is set up by having the default "input" rule on guest be REJECT, which is set at the bottom of the firewall summary general settings page, or in the config zone section of /etc/config/firewall.
But in the firewall rules for DHCP and DNS I entered in source address "192.168.3.0/24" (ip range from guest network). I dont understand why but this was the reason why my guest network hasnt have internet.
Still the dropbear interface restriction is irritating.