Redirect incoming web traffic to server on DMZ

I am a bit confused about how to redirect incoming traffic (i.e.: from WAN interface) reaching for web-related ports (80 and 443) to a specific machine on DMZ interface (physically separate from LAN interface).

This should be a trivial task but I didn't find clear instructions (most likely my bad).

I have a modem/router (delivered by my ISP) directly connected to OpenWrt WAN (modem 192.168.1.1 <--> 192.168.1.254 OpenWrt WAN).
This modem does NAT (IPv4 only) and redirects all incoming packets to OpenWrt.

OpenWrt has two more physical interfaces for LAN(192.168.7.254/24) and DMZ(192.168.77.254/24).

One specific host on DMz is my webserver(192.168.77.110).

I want to expose this webserver to the Internet.
To this end I added two rules in LuCI Network -> Firewall -> Port Forwards:

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'Web__80-to-webserver'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.77.110'
        option dest_port '80'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'Web_443-to-webserver'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.77.110'
        option dest_port '443'

Apparently this is not enough as I'm unable to reach webserverfrom the Internet (I can reach it from LAN using DNS host override).

I am not even sure this actually is an OpenWrt problem because pinging my external address I get a "Host unreachable" answer.

OTOH my WAN configuration has "reject" policy for WAN and I'm unsure if I should change this.

UPDATE:
Changing my WAN (actually called bkp for historical reasons, wan is now my "backup Connection" and bkp my main one) policy to "accept" and "Forwardings" to dmz I can access LuCI interface from the Internet, which is not what I want, of course.

Pointers to relevant documentations welcome (I tried perusing but there seem to be conflicting instructions and I got lost).

My (current) full configuration is:

root@openwrt:/etc/config# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "6.1.0-18-amd64",
	"hostname": "openwrt",
	"system": "Intel(R) Celeron(R) CPU N3450 @ 1.10GHz",
	"model": "AZW Gemini T34-M",
	"board_name": "azw-gemini-t34-m",
	"rootfs_type": "btrfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.7.254'
	option netmask '255.255.255.0'
	option device 'eth0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'dmz'
	option proto 'static'
	option ipaddr '192.168.77.254'
	option netmask '255.255.255.0'
	option device 'eth2'

config interface 'bkp'
	option proto 'dhcp'
	option device 'eth3'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'incus'
	option mac '2A:97:A4:B9:2E:57'
	option ip '192.168.7.98'
	option leasetime 'infinite'

config dhcp 'dmz'
	option interface 'dmz'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'webserver'
	option dns '1'
	option mac '00:16:3E:05:A2:04'
	option ip '192.168.77.110'
	option leasetime 'infinite'

config domain
	option name 'blog.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'wiki.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'git.condarelli.it'
	option ip '192.168.7.90'

config host
	option name 'cinderella'
	option dns '1'
	option mac 'E0:D5:5E:A0:21:0F'
	option ip '192.168.7.12'
	option leasetime 'infinite'

config host
	option name 'syno0'
	option dns '1'
	option mac '90:09:D0:2B:A1:1F'
	option ip '192.168.7.90'
	option leasetime 'infinite'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'

config zone
	option name 'bp'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'bkp'

config forwarding
	option src 'lan'
	option dest 'bp'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'dmz'
	option dest 'bp'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-websewrver-to-git'
	list proto 'tcp'
	option src 'dmz'
	list src_ip '192.168.77.110'
	option dest 'lan'
	option dest_port '17022'
	option target 'ACCEPT'
	list dest_ip '192.168.7.90'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Web__80-to-webserver'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.77.110'
	option dest_port '80'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Web_443-to-webserver'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.77.110'
	option dest_port '443'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.2.60/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth3
       valid_lft forever preferred_lft forever
13: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.7.254/24 brd 192.168.7.255 scope global eth0
       valid_lft forever preferred_lft forever
14: eth2@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.77.254/24 brd 192.168.77.255 scope global eth2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth3  src 192.168.1.2 
192.168.1.0/24 dev eth3 scope link  src 192.168.1.2 
192.168.2.0/24 dev eth1 scope link  src 192.168.2.60 
192.168.7.0/24 dev eth0 scope link  src 192.168.7.254 
192.168.77.0/24 dev eth2 scope link  src 192.168.77.254 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.1.2 dev eth3 table local scope host  src 192.168.1.2 
broadcast 192.168.1.255 dev eth3 table local scope link  src 192.168.1.2 
local 192.168.2.60 dev eth1 table local scope host  src 192.168.2.60 
broadcast 192.168.2.255 dev eth1 table local scope link  src 192.168.2.60 
local 192.168.7.254 dev eth0 table local scope host  src 192.168.7.254 
broadcast 192.168.7.255 dev eth0 table local scope link  src 192.168.7.254 
local 192.168.77.254 dev eth2 table local scope host  src 192.168.77.254 
broadcast 192.168.77.255 dev eth2 table local scope link  src 192.168.77.254 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Nov 14 13:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May  9 07:53 /tmp/resolv.conf
-rw-r--r--    1 root     root           142 Apr 23 01:20 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           142 Apr 23 01:20 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface bkp
nameserver 192.168.1.1
search homenet.telecomitalia.it
# Interface wan
nameserver 192.168.2.1
search homenet.telecomitalia.it