Multiple connection issues

my setup:
I have a wireless bridge connected to a marinas WiFi, 2PCs and a Raspberry Pi4b connected to the bridge via Ethernet.
im using OpenWRT 21.02.0
ultimately I want to replace the china spec wireless bridge with the Pi/OpenWRT

I can connect to the Pi's WiFi AP and access the internet no problem, I can access the Pi from PC via the http interface (luci) but I cant get access to the internet from the Pi (Im directly using the pi with keyboard and screen).
From the Pi, nslookup works fine but ping, traceroute, opkg all fail (ping and traceroute will resolve the www to IP but)..also cant ping the gateway on the Bridge!!!
im guessing ive got a routing issue from 127.. to the bridge??? WLAN to LAN is fine but not consol to LAN

im kind of a newby, its been many, many,many years since I dabbled with linux.....like think redhat5, so please be kind and spell it out lol

You sure the marina haven't blocked that kind of traffic ?

na, i can ping/tracert of the PCs OK. from the Pi i cant even ping the wireless bridges IP despite having my phone and tablet connected to the Pis AP ==> wireless bridge ==> marina wifi..they both do ping/traceroute. its only from the pi itself

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

I'm guessing your Chinese "bridge" is actually routing*, and all of your devices are on its LAN. If you've static IP the Pi you need to set the gateway properly. Usually one would run a DHCP client on the interface and let it pull settings from upstream.

• since you can only have one IP and one MAC on the marina network, you have to route somewhere.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.4.143",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0",
                "revision": "r16279-5cc0535800",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 21.02.0 r16279-5cc0535800"
        }
}
===============================================
root@OpenWrt:~# uci export network; uci export wireless
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdad:4177:6415::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option cell_density '0'
        option hwmode '11g'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
======================================================
root@OpenWrt:~# uci export dhcp; uci export firewall
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wwan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'
============================================

root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
============================================================
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.23/24 brd 192.168.100.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.100.1 dev br-lan  src 192.168.100.23
192.168.100.0/24 dev br-lan scope link  src 192.168.100.23
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.100.0 dev br-lan table local scope link  src 192.168.100.23
local 192.168.100.23 dev br-lan table local scope host  src 192.168.100.23
broadcast 192.168.100.255 dev br-lan table local scope link  src 192.168.100.23
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
======================================================
root@OpenWrt:~# ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:fedd:335f/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdad:4177:6415::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:fedd:335e/64 scope link
       valid_lft forever preferred_lft forever
fdad:4177:6415::/64 dev br-lan  metric 1024
unreachable fdad:4177:6415::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast fdad:4177:6415:: dev br-lan table local  metric 0
local fdad:4177:6415::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::xxxx:xxxx:fedd:335e dev br-lan table local  metric 0
local fe80::xxxx:xxxx:fedd:335f dev wlan0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000004:     from all iif br-lan lookup unspec 12
==========================================
root@OpenWrt:~# ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0
/etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
lrwxrwxrwx    1 root     root            16 Aug 31 22:20 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Sep  1 11:36 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 Aug 31 22:27 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            54 Aug 31 22:27 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4

didnt know dhcp could go upstream, so the china wireless bridge gets its ip from the marinas DHCP and in turn runs ips own DHCP server for an machine connecting to it.
marina seems to only block wares sites,porn sites, torrrent sites, vpn servers etc. theres probably many ports closed but everything ive needed so far has been open. they run a mesh network, everyone uses the same password (so often you get random people accidentally casting to your TV etc). ATM I have about 30 IOT devices + PCs, phones etc. Id like to get them all on a system to give me some isolation from other marina clients, the china bridge only supports 6 connections across LAN and WAN

One thing is that you connect to the upstream bridge from the lan port, which is part of the lan bridge. Lan interface is setup for dhcp protocol, but you are also running dhcp server on the lan interface. You might be blocked for that.
Also in the firewall you are using the defaults for the lan zone which connects you to the internet and this might be dangerous.
If you are going to use the Raspi as a dumbAP only, make sure that the bridge you have is providing a good level of security, otherwise split the eth and wifi interfaces into separate ones and use for lan only the wifi and for wan the eth.