Change default INPUT & FORWARD rules for both wan & guest from REJECT to DROP
The rule of thumb on the Internet should be to remain stealth (DROP) while the REJECT action actually confirms that there is a server at this IP and it bothers enough to actually respond to the incoming messages. This pretty much guarantees that all ports will be scanned over and over and hack attempts will not stop: it is like asking for trouble. Responding to ICMP ping and others increases the CPU usage and bandwidth utilization which might lead to a DoS event. Home routers should remain stealth as more often than not the people that manage them do not know how to deal with attacks or connection slow downs.