Port forwards do not set dest ip to router

I’ve tried setting up a port forward from the router to a device in its LAN - and this forward should only work for other devices in the LAN (i.e. it is not a WAN->LAN forward). I did it using the standard Luci interface, selecting lan as both source and destination zone. However, I’m confused by the iptables rules it generated.

Setup:
Router: br-lan (192.168.2.1)
Forwarded-to device: 192.168.2.3
Forwarded port: 2101

The generated rules (there were 2, one tcp, one udp) were like this:

iptables -t nat -A zone_lan_prerouting -i br-lan -p tcp --dport 2101 -j DNAT --to 192.168.2.3:2101

However, this rule forwards everything, not just packets destined to the router itself (i.e. if the forwarded-to device itself tries to connect to <SOME_IP_IN_INTERNET>:2101, this rule forwards the traffic back to the device itself).

For it to work as I want, I needed to create a rule manually, adding the --destination flag:

iptables -t nat -A zone_lan_prerouting -i br-lan -d 192.168.2.1 -p tcp --dport 2101 -j DNAT --to 192.168.2.3:2101

My question is why doesn’t Luci automatically fill destination to the router’s IP. I think it’s not desirable in the general case to kidnap traffic that’s just passing through the router and is not destined to it. Or am I wrong?

I see there is one difficulty using iptables that you can’t specify <device> as the destination, so you probably have to generate one rule for each IP address the router has in the lan zone. But that shouldn’t be a big problem, should it?

Or would it be easier to add the rule to a different chain? Apparently, zone_lan_prerouting applies to both INPUT and FORWARD traffic. I guess port forwards could easily go just to INPUT.