Quick firewall question

After some playing around, I think firewalls are slightly less confusing. I just wanted to run my setup by you folks.

I have LAN, CCTV, MAIN, and GUEST firewall zones.

LAN is for trusted devices, CCTV is self-explanatory, MAIN includes an IPTV and VoIP set up I prefer to keep off the LAN zone, and GUEST is...guest.

I want to make sure CCTV has no access to the router or the internet. I want MAIN to have access to the internet but not to the router. The same goes for GUEST, obviously.

And, of course, I don't want WAN having any input access to anything. Well, you get what I mean.

Does that look about right? No gaping holes in the layout?

I would say that looks good to me. One thing that you may need to consider is any services hosted by the OpenWrt router itself such as DHCP. You are blocking the INPUT chain and therefore I suspect any service request to anything hosted on OpenWrt will be dropped (e.g. DHCP).You could get around this with a specific firewall traffic rule.