WebGUI accessible from internal LAN by using WAN IP

[Mupu]

Hi,
im trying to configure a Guest network to allow only internet access. To achieve that I have one rule.

allow wan - interface: Guest, src: guest, dest: not RFC1918.

This works as expected with one exception. I noticed that a client in the guest network still can access the Firewall GUI when he uses the external WAN IP. And I have no idea why. The log only shows one entry, being:
interface: Guest, src: 10.0.66.12, dst: wanip, matched by my rule above

I expected it to get routed through the WAN interface and then blocked there since I have no HTTP/HTTPS rules on my WAN interface.
But I don't see any of that happening in the log. Using Wireshark on the client also just showed traffic from wan IP to the internal LAN IP the client has..

I tried disabling the auto-generated anti-lockout rule and disabling the GUI completely on the guest interface, which I expected would stop the client from accessing the GUI but did not. The only way I got it to work was by adding another FW rule explicitly blocking traffic from Guest net to 'This Firewall'.
Also, I didn't change any of the reflection settings, but since there doesn't seem to be any NAT happening I don't think it's the cause but no clue.

Does anyone have an idea of what's going on, and how to stop the access through the WAN IP?