Hello!
I have builded image without firewall, but now network not work. I have serial condole access and can connect to system.
I can see that br-lan and eth0 are work. But no traffic throw them.
When I has built image with firewall - all work fine.
Defult kernel policy is DROP?
Who's doing the NAT in your set up ?
Nobody.
This is only Wifi AP with only one function Wifi - Ethernet.
Then post your config.
Default config from OpenWRT:
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8e:98f6:7002::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
Now have tested that via "Openwrt" WIFI SSID device is acceptable. But not wortk via eth0, but the way packets count on interface is incrase.
/# ifconfig
br-lan Link encap:Ethernet HWaddr 18:D6:C7:E2:38:18
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd8e:98f6:7002::1/60 Scope:Global
inet6 addr: fe80::1ad6:c7ff:fee2:3818/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30823 errors:0 dropped:3 overruns:0 frame:0
TX packets:4677 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7233341 (6.8 MiB) TX bytes:998313 (974.9 KiB)
eth0 Link encap:Ethernet HWaddr 18:D6:C7:E2:38:18
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26878 errors:0 dropped:6 overruns:0 frame:0
TX packets:3750 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7234390 (6.8 MiB) TX bytes:196993 (192.3 KiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12496 errors:0 dropped:0 overruns:0 frame:0
TX packets:12496 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:904512 (883.3 KiB) TX bytes:904512 (883.3 KiB)
wlan0 Link encap:Ethernet HWaddr 18:D6:C7:E2:38:16
inet6 addr: fe80::1ad6:c7ff:fee2:3816/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4213 errors:0 dropped:0 overruns:0 frame:0
TX packets:17550 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:459351 (448.5 KiB) TX bytes:5593529 (5.3 MiB)
# ping 192.168.1.111
PING 192.168.1.111 (192.168.1.111): 56 data bytes
^C
--- 192.168.1.111 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
I build my images ALWAYS without firewall. But then I set up my own simple (iptables-) rules from /etc/rc.local . Incl. default policies, of course.
Much easier to understand and to manage, compared to firewall. Still works on 22.03.3; might change with next version of openwrt, because of nftables.
A have builded image without firewall and kernel modules for firewall. I haven't ipatables or nftables or any else....
That is too bare-bone for me 
Should not be too much overhead, to include standard iptables stuff.
I don't know why! But firmware upgrade by SAME binary has resolve problem. Miracle!