"Dumb AP" with wan and lan interface

Hi, I have a question regarding the setup of a "Dumb AP". My router is a Raspberry Pi 4B with OpenWrt 23.05.2 behind a FritzBox router as "dumb AP". The router has 2 ethernet ports, the build-in port eth0 and an USB ethernet adapter eth1. Both ports are working. I want a network setup where all clients of the Raspberry Pi router get the IP address from the FritzBox directly, so that they are part of the same network as clients that are connected directly to the FritzBox.

I currently have a configuration where both ports are part of the 'lan' zone and the Raspberry and all clients get their IP via DHCP from the Fritzbox:

[...]
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
[...]

I have tried to create an interface wan (and wan6) and move eth0 to this interface so that I can a) have a static IP for the Raspberry Pi and b) use the OpenWrt firewall to block ports for clients of the Raspberry Pi. So fare this has not been successful! I have tried:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.2'

config interace 'wan'
	option device 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.2'

Both interfaces are excluded from DHCP because the DHCP for the clients should come from the FritzBox so that all clients belong to the same subnet.

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

Unfortunately this is NOT working: I have internet access on the Raspberry Pi but clients (wired or wireless) have no internet. How can I get a configuration for a "dump AP" with wan and lan working. I suspect I need additional forwarding rules for DHCP (and potentially more). I currently have the following:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

Can anyone help me to set this up?

This is the definition of a dumb AP. So this is straight forward.

This cannot be done if you want all of the downstream devices to be on the same network/subnet as the main router. A dumb AP is transparent and the routing engine/firewall does not filter any traffic because these L3 functions aren't involved in the traffic flow (everything is happening at L2 when you're on the same network... L3 is only when you are dealing with different subnets/networks).

If you want the devices that are connected to the Pi to be subject to firewall rules, you must use the Pi as a router. This necessarily means that the upstream network (the FB lan) and the new lan on the pi must be different subnets. To achieve this, you'll change the subnet of the OpenWrt lan -- you could use 192.168.1.1/24 for the lan address since your upstream is 192.168.178.0/24). You'll also want to turn on the DHCP server on your lan interface, and you need to disable masquerading on the lan firewall zone. At that point, you can setup whatever rules you want on the firewall.

Thank you for the clarification. I was not aware of this. So I will stick to having everything in the lan zone to make sure that all clients are in the same subnet and not use the firewall rules.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!