Hi hnyman,
I found a question after the release 36612. In r36612 or before, if I create a "Port Forwards" rule using LuCI, OpenWrt tries to distinguish whether the mapping is destined to the router itself or another host in the zone. Respectively, OpenWrt will create filter rule in the INPUT chain (linked to zone_wan chain as showed below), and in the FORWARD chain, besides NAT rules.
-A zone_wan -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate DNAT -j ACCEPT
-A zone_wan -d 192.168.1.1/32 -p tcp -m tcp --dport 443 -m conntrack --ctstate DNAT -j ACCEPT
But this isn't the case in r36936 or r37529. In these newer releases, OpenWrt always create filter rules in FORWARD chain (besides NAT rules) without caring whether the destination is bound to the router itself.
-A zone_lan_forward -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m comment --comment "1022T (reflection)" -j zone_lan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 443 -m comment --comment "1443T (reflection)" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m comment --comment "1022T" -j ACCEPT
-A zone_wan_forward -d 192.168.1.1/32 -p tcp -m tcp --dport 443 -m comment --comment "1443T" -j ACCEPT
I assume this isn't the intended purpose, because these rules make no sense and I also have to create additional "Traffic Rules" to access the router remotely.