Phone VLANs, Avoiding Broadcast Leaks, and a Question about Zones

I recently setup a second VLAN on my managed switches so I could place our new IP phones on their own network (just in case the phones ever got infected with malware).

To make this work, I setup a new interface, and I set the interface to be in its own firewall zone, that had both forward and input set to 'drop'. I then set rules so:

  • The phones could talk to the machine running the SIP server
  • They could send DHCP packets to the router
  • Devices from the main LAN could talk to the phones (for configuration and so the SIP server could reach out to the phones).

What I was curious about was broadcast packets - as I understand that most well behaved broadcasts have TTL set to 1, so they shouldn't cross over to another subnet. But... if there was a buggy piece of software (and TTL was greater than 1), would the router forward broadcast packets onto the phone vlan?

Here is my current network config setup for the phone VLAN

config device
        option type '8021q'
        option ifname 'eth0.2'
        option name 'PhoneVlan'

config interface 'PhoneVlan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask ''
        option ipaddr ''
        option ip6assign '64'

And here is the current firewall:

config zone
        option network 'PhoneVlan'
        option forward 'DROP'
        option name 'phones'
        option output 'ACCEPT'
        option input 'DROP'

config rule
        option dest_port '67'
        option src 'phones'
        option name 'Allow DHCP on Phone VLAN'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option src 'phones'
        option name 'Allow phones to talk to PBX'
        option dest '*'
        list dest_ip ''
        option target 'ACCEPT'

config rule
        option dest 'phones'
        option src 'lan'
        option name 'Allow lan to talk to phones'
        option target 'ACCEPT'

Given this setup, should I be safe, or could broadcast packets leak onto the phone network?

As a small follow up question: The rule to allow phones to talk to the PBX is set to 'any' destination zone, because the PBX software runs on a VM, which is on its own subnet and has a static route pointing to it on the router (the machine on runs the VMs on 192.168.100.x).

Is the address of the PBX considered in the LAN zone (because there's a static route pointing an address to a machine in the LAN zone) or is it considered something else (since its not on the lan's subnet)?

Thank you for any help with this!