Unexpected routing of traffic on router between VLANs

Hi,
I've an TP-Link TL-WR1043N/ND v2 running LEDE 17.01.2.

I've the following config:

/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4a:4215:0460::/48'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0'
	option username '******'
	option password '******'
	option ipv6 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 3t 4'
	option vid '5'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '0t 1 3t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '90'
	option ports '0t 3t'
	option vid '90'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option warning 'dont change this vlan number'
	option name 'wan, eth0'
	option ports '5 6'
	option vid '2'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option delegate '0'
	option ipaddr '172.17.90.10'
	option netmask '255.255.255.0'
	option ifname 'eth1.90'

config interface 'management'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth1.5'
	option delegate '0'
	option ipaddr '172.17.5.10'
	option netmask '255.255.255.0'

config interface 'home'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth1.10'
	option delegate '0'
	option ipaddr '172.17.10.10'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '91'
	option ports '0t'
	option vid '100'

config interface 'dmz'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth1.100'
	option delegate '0'
	option netmask '255.255.255.0'
	option ipaddr '172.17.100.10'
/etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'
	option channel '10'
	option country 'DE'
	option disabled '0'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key '******'
	option network 'guest'
	option ssid '******'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key '******'
	option ssid '******'
	option network 'home'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option network 'management'
	option encryption 'psk2'
	option key '*****'
	option ssid '*****'
/etc/config/firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'ACCEPT'

config zone
	option name 'management'
	option network 'management'
	option forward 'REJECT'
	option input 'ACCEPT'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guest'

config zone
	option name 'home'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'home'
	option input 'ACCEPT'

config forwarding
	option dest 'guest'
	option src 'home'

config forwarding
	option dest 'wan'
	option src 'home'

config forwarding
	option dest 'guest'
	option src 'management'

config forwarding
	option dest 'home'
	option src 'management'

config forwarding
	option dest 'wan'
	option src 'management'

config zone
	option name 'dmz'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'dmz'
	option input 'ACCEPT'

config forwarding
	option dest 'dmz'
	option src 'guest'

config forwarding
	option dest 'dmz'
	option src 'home'

config forwarding
	option dest 'dmz'
	option src 'management'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'management'
	option proto 'tcp'
	option src_dport '234'
	option dest_ip '172.17.5.199'
	option dest_port '22'
	option name 'SSH'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'dmz'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '172.17.100.10'
	option dest_port '443'
	option name 'HTTPS'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'dmz'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '172.17.100.10'
	option dest_port '80'
	option name 'HTTP'

In summary I've some VLANs (home (172.17.10.0), management (172.17.5.0) and guest) and some wireless networks, each connected to one of the VLANS via bridge. The firewall should not allow traffic from home to management.

If I'm connected to the "home"-WLAN I get correctly an ip of the subnet 172.17.10.0/24. As expected, I cannot ping or reach clients that are on the management network.

However I'm able to ping the ip address of the router in the management network (172.17.5.10) and even reach the luci web configuration on https://172.17.5.10.

Why does this work? And how do I switch that behaviour off?

Thank you for any explanations!

That is normal behavior for the Linux kernel: traffic is not reaching the management interface, the kernel just does not make a distinction on which interface is the IP you are trying to reach, but where does the traffic comes from.

In other words, traffic from the guest VLAN to the management IP is seen the same as traffic from the guest VLAN to the guest IP. Both of them are packets are seen as traffic from the guest VLAN reaching the router.

However, you can configure LuCi to listen to specific interfaces, so it cannot be reached from the guest interface.