DNS Filtering on Bridged LAN Dumb AP

How do I enable DNS Filtering on Bridged LAN?
Filtering works on the AP but not on the client connected to the AP.
I have taken insparation in the config of Dumb AP Configuration
so ISP internet comes from a different router on lan1. The client is connected via Lan2/3/4. The cabeling may be fixed however.
I am in the proc of bilding the nw down below. Any input would be appreciated.

Configs

/etc/config/adblock
config adblock 'global'
        option adb_enabled '1'
        option adb_debug '0'
        option adb_forcedns '1'
        option adb_safesearch '0'
        option adb_dnsfilereset '0'
        option adb_mail '0'
        option adb_report '0'
        option adb_backup '1'
        list adb_sources 'adguard'
        option adb_dns 'dnsmasq'
        option adb_fetchutil 'curl'
        list adb_zonelist 'lan'
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''
        option packet_steering '1'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan-wasp'
        list ports 'wan'

config device
        option name 'lan1'
        option macaddr ''

config device
        option name 'lan2'
        option macaddr ''

config device
        option name 'lan3'
        option macaddr ''

config device
        option name 'lan4'
        option macaddr ''

config device
        option name 'lan-wasp'
        option macaddr ''

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config device
        option name 'dsl0'
        option macaddr ''

AP Client traceroute

OpenWRT router is missing here

traceroute to example.org (2600:1406:bc00:17::6007:810d), 30 hops max, 80 byte packets
 1  fritz.box (ipv6)  1.631 ms  1.853 ms  2.164 ms
 2  * * *
 3  dynamic-2a02-3102-8000-c0a2-0000-0000-0000-0001.310.pool.telefonica.de (2a02:3102:8000:c0a2::1)  19.070 ms  21.031 ms  17.347 ms
 4  de-fra04d-rc1-lo0-0.v6.aorta.net (2001:730:2d00::5474:8015)  29.192 ms  29.162 ms  29.138 ms
 5  dynamic-2a02-3102-8000-0101-0000-0000-0000-0002.310.pool.telefonica.de (2a02:3102:8000:101::2)  21.038 ms  21.017 ms  20.992 ms
 6  dynamic-2a02-3102-8000-0101-0000-0000-0000-0001.310.pool.telefonica.de (2a02:3102:8000:101::1)  22.025 ms * *
 7  2a02:3001::280 (2a02:3001::280)  18.795 ms  16.484 ms  14.989 ms
 8  2001:1498:1:935::2 (2001:1498:1:935::2)  12.933 ms * *
 9  * 2001:1498:1:3f1::2 (2001:1498:1:3f1::2)  13.098 ms *
10  ae-3.r26.frnkge13.de.bb.gin.ntt.net (2001:728:0:2000::269)  15.687 ms  14.149 ms 2001:1498:1:3f1::2 (2001:1498:1:3f1::2)  22.752 ms
11  ae-4.r23.londen12.uk.bb.gin.ntt.net (2001:728:0:2000::15d)  28.204 ms ae-3.r26.frnkge13.de.bb.gin.ntt.net (2001:728:0:2000::269)  15.977 ms  16.007 ms
12  ae-13.r27.asbnva02.us.bb.gin.ntt.net (2001:418:0:6000::1f9)  100.587 ms ae-4.r23.londen12.uk.bb.gin.ntt.net (2001:728:0:2000::15d)  24.487 ms ae-13.r27.asbnva02.us.bb.gin.ntt.net (2001:418:0:6000::1f9)  103.124 ms
13  ae-2.r27.lsanca07.us.bb.gin.ntt.net (2001:418:0:2000::1be)  166.062 ms  164.399 ms  162.558 ms
14  vlan104.r16.spine101.lax01.fab.netarch.akamai.com (2600:1406:b400:6611::1)  165.079 ms vlan104.r15.spine101.lax01.fab.netarch.akamai.com (2600:1406:b400:6610::1)  164.041 ms ae-2.r27.lsanca07.us.bb.gin.ntt.net (2001:418:0:2000::1be)  161.780 ms
15  ae4.r09.spine101.lax01.fab.netarch.akamai.com (2600:1406:b400:660a::1)  167.984 ms ae11.r01.leaf105.lax01.fab.netarch.akamai.com (2600:1406:b400:e05::1)  169.235 ms vlan115.r03.leaf105.lax01.fab.netarch.akamai.com (2600:1406:b400:1207::1)  167.215 ms
16  vlan103.r04.tor105.lax01.fab.netarch.akamai.com (2600:1406:b400:1a01::1)  169.137 ms  172.086 ms vlan115.r04.leaf105.lax01.fab.netarch.akamai.com (2600:1406:b400:1208::1)  169.099 ms
17  g2600-1406-bc00-0017-0000-0000-6007-810d.deploy.static.akamaitechnologies.com (2600:1406:bc00:17::6007:810d)  172.047 ms vlan102.r04.tor105.lax01.fab.netarch.akamai.com (2600:1406:b400:1901::1)  172.119 ms g2600-1406-bc00-0017-0000-0000-6007-810d.deploy.static.akamaitechnologies.com (2600:1406:bc00:17::6007:810d)  173.602 ms

Goal of the set up.

I want all traffic of the AP to go through a VPN and be DNS filtered at the same time. Obviously I can set the OpenWRT manually as DNS server, but thats not the point.

Nice colorful pictures, maybe make font smaller so no one reads them? [/sarcasm]
Please edit your post replacing mega blobs with pasted text.

Please edit your post replacing mega blobs with pasted text.

Done

OpenWrt is obviously one endpoint of the VPN... where is the other?

I would like that to be a commercial provider like mullvad or express/nord.
So the standard wireguard/openvpn manual would suffice for this

It that's the case, you'll setup your OpenWrt device as a standard router and then add your VPN. In this configuration, all client devices connected to OpenWrt will be routed through it and the DHCP server will advertise the OpenWrt router as the DNS server. So you can do whatever DNS filtering you need, including DNS hijacking, if needed.

That said, some DNS filtering methods have significant RAM requirements (and also flash storage), so you need a router with sufficient resources.