First of all, that isn't a LAN to WAN setting of Reject. The enable LAN to WAN is the graphic to the Left of that - under the column "Zone => Forwardings". That entire row is the Zone-based firewall settings for LAN. Each row configures the Zone named on its extreme Left. I believe LAN was accept intra-zone forwarding by default (more on how to find out below).
Nonetheless, what you circled is the forwarding of a packet FROM THE LEDE TO ANOTHER ROUTER IN THE SAME ZONE. Most consumers don't use 2 routers in the same firewall zone (unless one is doing NAT).
To get your answer, simply backup the config, erase the router and see the setting. I honestly don't have a device in default configuration to check for you. From a device that I don't beleive I had to reconfigure, LAN is: Input (from LAN to router) accept, Output (from router LAN IP) accept and Forward (to other subnets in zone) accept.
Not sure what to believe. As far as I know, the circled option is for determining if traffic is forwarded between different subnets inside this firewall zone.
That is, I had a separate wireless and wired subnets, but both inside the firewall zone called LAN. They could not talk to each other by default until I chose "accept" there.
And whatever is the case, the GUI could use some clear and simple verbiage.
It is a chain.
But where does it start from? Where does it end?
I mean, the installed base is most probably divided into three camps: Those 1) who know nothing about the settings and leave them as they are, those 2) who suffer under a misconception or many and wonder why changing settings has unexpected or inexplicable results and 3) the very small minority who have tried every combination and figured out what does what and what goes where and 4) the even smaller minority that somehow knows the theory behind the firewall and really knows how one forward is different from another forward.
I saw no explanation there that would have answered my question. I don't know about the original poster's question, but I see there are answers to it that even add to the confusion. For example:
A zone consists of interfaces. And interfaces are a property of a particular device. As far as I know, a single router running OpenWRT knows nothing about what any other device thinks about its interfaces and how it groups these into zones.
I have played with routing protocols and zone-based firewalls in Cisco devices. But that's why I know these things aren't always inevitably related. No matter what Gertrude Stein says, zone is not a zone is not a zone.
So forget the other router. These things are not alive. They don't recognize each other and make friends. For that you would need to run a routing protocol (RIP, OSPF, IS-IS, EIGRP, BGP) and even then the firewall would deal with interfaces. One must think about it in a way where the interface is first defined by you to be a door to a certain subnet, which you can then define to be part of a zone. Then you here have added the interface to a zone according to your previous definition.
A packet comes in. Does it come in from an interface that is part of a zone?
It does: Consult the row dedicated to that particular zone.
Is the packet adressed to the router? If it is, then consult the Input selection on that particular row.
Is it going to another subnet—that is, out through another interface—that is included in the same zone? If so, consult the red, circled number 3.
Is it going to another zone—that is, out through another interface—that is included in some other zone? If so, see if the destination zone is mentioned in the Forwardings column of that particular zone, that is, next to the red, circled number 2.
It does not:
Is it addressed to the router? If it is, then consult the general Input selector near and above the red circled 1.
Is it going somewhere else than the router? Consult the Forward selector next to the red circled 1.
Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
When a packet hits/traverses through one of the chains listened above and hits the end of the chain (because no rule (with a target) was applied) , the default policy is applied/used.
This default policy can be overwritten with the zone settings below. (at 3)
Input = Traffic to the router
Output = Traffic originating from the router
Forward = Traffic between interfaces that are members in the same zone.
For example, you configure two interfaces on your router with different subnets but you assign both interfaces to the same zone:
If you set "Forward" (at 3) to "Accept", traffic between the interfaces/subnets can flow, but if you set it to Reject/Drop, no traffic will be flowing between the interfaces/subnets.
Your assumptions are correct and, as I said, are explained quite well in the wiki:
The defaults section declares global firewall settings which do not belong to specific zones:
|input |string |no |REJECT |Set policy for the INPUT chain of the filter table.|
|forward |string |no |REJECT |Set policy for the FORWARD chain of the filter table.|
|output |string |no |REJECT |Set policy for the OUTPUT chain of the filter table.|
Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work.