All happens just like there was a rule saying "deny this Android device reaching the 192.168.2.0 network when it is connected to the dumb AP (but let him go to internet)".
Can you confirm that there is no firewall on the client that prevents outgoing connections?
Do you confirm that other clients connected to the 192.168.2.x network can do everything you want?
try waiting for the answer from someone with more skills than me.
in the meantime if you want, try putting BR_HOME like this in "main router" (just to check if nattated traffic and/or not would be possible):
config zone option output 'ACCEPT' option input 'ACCEPT' option name 'BR_HOME_FW' option forward 'ACCEPT' list network 'BR_HOME'
config zone option output 'ACCEPT' option input 'ACCEPT' option name 'BR_HOME_FW' option forward 'REJECT' list network 'BR_HOME' option masq '1'
No firewall on the client, and other clients can access 192.168.2.0 network.
Opening the forward chain in the firewall does not solve the problem.
Any chance that a bug was introduced in 23 ? I didn't have the problem with 22.
I'll leave you in the hands of someone with more skills than me.
in the meantime, perhaps it is better to document the client with the following information:
operating system version
in the hope that someone smarter than me will find what the problem is.
If you have other clients identical to this device, do those also have problems?
Have you tried (if it's not too expensive) to reboot and/or reinstall the operating system of this client?