Here I beg to differ. You would often NOT want the configuration interface of a device to be available from any connected network, whilst still wanting to allow other services to be available to all connected networks.
I mean, just look at that from a distance:
root@tplink1:/etc/config# ncat -v -l 192.168.2.1 12345
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.2.1:12345
Ncat: Connection from 192.168.7.130.
Ncat: Connection from 192.168.7.130:34892.
And that with a configuration that does not allow zone forwarding from the 192.168.7 network to the 192.168.2 network.
From your explanations I understand now why this happens, and that considering the algorithm given by Thinkcat in Recommended firewall settings - #2 by lleachii, the packet from 192.168.7.130 to 192.168.2.1 does not go OUT through another interface but is rather destined as INPUT to the router. But its still not what one would expect at first glance ...
So the solution is to REJECT all INPUT to the router in all zones but the private zone in general, and then to individually ALLOW access by devices in other zones/LANs than private to exactly the IP address of the router IN THAT zone/LAN.
Can that be expressed by one simple rule per zone/LAN?
Kind regards,
Sebastian