Unless it’s an industrial grade router fitrwalls won’t come into it.
A proper configured pi opens ports and only responds to those as part of the server/service setup.
Taffic from in-lan gets flagged as local and gets passed. Doesn’t need to be routed cross wan or touch firewall.
Firewalls block the outside world coming in. And in extreme cases ACLs out unless explicitly changed.
People going down a pinhole route can be dangerous. And actually needs webserver/ports tested on the host (pi) before going that far.
OP - check for existence of lighttpd and piaware configuration.