If anybody wants to know the answer is… ipv6 module!
If that module is disabled or uninstalled all ipv6 packets are passed through by the firewall ip filter… no comments, that is stupid because everyone think that if I disable or uninstall ipv6 module that packets are blocked.
If you really want to disable ipv6 on your router do not uninstall ipv6 module. You should install it and just add to ipv6 filter (yes, there is separated firewall only for ipv6) following rules:
chain=forward action=drop
chain=input action=drop
chain=output action=drop
The only reason why IPv6 matters in your case is that server.local somehow resolves to IPv6 address.
BTW, bridging two L3 subnets and then using bridge filters (or switch ACLs if you were using some real switch for that) to block traffic is, mildly put, weird. And since your OP was extremely scarce with details, nobody could think of such a problem. Most forum members assume posters would do their own research before asking questions. With ssh connections it’s pretty easy to check the connection origin and by doing it one would spot if it’s an IPv6.
BTW2, IPv4 and IPv6 are distinct L3 protocols. Just because they can transport same L4 protocols (TCP, UDP, ESP, …) doesn’t mean they should share same configuration subtree (I’m not saying they should not) … I don’t think anybody would push IPX or DECnet or NBF firewall/filter rules in same configuration sack with IP.