FYI this is not needed, I can see it works fine for you, but I had problem in past versions. I don't fill it ever since and has the correct mtu.
This redirect should be a rule. Create a new instance of dropbear on the src_dport and allow that.
Both your DNATs have zero hits in iptables though, so nothing actually reached the device from the internet. There are also no hits in the reflection rules, so I am not sure you restarted the firewall and reset the counters after you tested from the lan. Either way everything looks correct.