Consider switching default WAN policy from REJECT to DROP
It might be better to drop all connections on WAN side rather then rejecting them.
The default is right now set unconditionally from OpenWrt. This needs either dirty patch or some upstream effort to export this settings to KConfig.