Also, TIL: The OpenWRT web interface, Luci, by default listens on 0.0.0.0:80, (via uhttpd) which one may think is madness, because you don't want the WAN or non admin VLANs accessing it.
So I changed it to 192.168.1.1:80, but it turns out that this is pointless. It was always firewalled from the WAN anyway (and indeed, port 80 and 443 incoming are forwarded to my Friendica server), and it turns out that it still accepts connections from other VLAN subnets because of funky loopback shit.
So you need to firewall the router from potentially hostile VLAN subnets and just allow DNS and DHCP via port forwarding (if that's how you roll) through anyway.
(Aside, I wondered what the fuck the "input" zone forwarding was on the OpenWRT firewall. Turns out it means traffic aimed at the router, and only the router. Live and learn.)
And also, if you try and bind it to the main LAN, it comes up before that interface does, notices the interface doesn't exist, and promptly quits.
And then you have to go in via ssh and start it manually.
So don't do that. It's set to 0.0.0.0:80 in /etc/config/uhttpd for a reason, and we shouldn't fuck about with it.
Rolling your own Internet router is fun, but there are all sorts of fun ways to screw yourself.