We‘re getting closer to a solution. I can ping google from my ssh session on the router but can‘t access it from my laptop (attention: I masqueraded lan as suggested before)
Edit: Also after disabling lan -> wan masquerading again I still can‘t access google.com from my laptop connected to eth1
It‘s a devolo wifi pro 1200e Access Point.
I‘m currently resetting the router configuration to start up again as you suggested. Just to understand the system: What is the difference between assigning the wan firewall zone to my interface named whatever I like (that‘s what I did and is documented in the screenshots above) vs. naming the interface „wan“ and not doing anything else?
It's just fewer steps. Not knowing what else you may have tried, and since this use case is so close to the default configuration anyway, I suggested starting over.
Thank you. I did what you suggested. I observe the exactly same behavior as before: I do have internet (I can ping google.com) from my ssh session on the router (I opened the ssh session to the authentication server from the router). But I can‘t ping google from my laptop connected to eth1 (the bridge device, eth0 is the wan device).
Edit 1:
Maybe @frollic can help, his guidance led to the same result.
I don‘t really understand how the bridge device works, but as I removed the eth0 from it, don‘t I run two completely separated networks now?
Edit 2:
I can also open an ssh authentication session from my laptop but I still only have internet on the router – not on the laptop.
yes, but you should.
on on the LAN side, one on the WAN side.
have you already authenticated at the ssh host ?
Yes. I authenticated via laptop —> ssh root@192.168.1.1 —> ssh user@ip and also directly via laptop —> ssh user@ip
Both times I do have internet and working DNS on the router (I‘m connected via ssh from my laptop to the router) but I don‘t have internet on my laptop
Edit 1:
This means I can connect to the „outside“ from my laptop to the auth host (laptop coming in at lan and going out at wan to the auth)
OK,
so traffic appears to be flowing through the router, since you can connect to the
authentication IP.
are you able to ping 8.8.8.8, but not www.google.com from the computer ?
since the ssh session have to be open for internet to work, are you sure you're not
supposed to use it for tunneling the traffic ?
On the laptop, run a traceroute to any numeric Internet IP such as 8.8.8.4. Also run a ping to the ISP's first router (the gateway that you configured).
I suspect you may be being blocked inside the ISP by some feature they have designed to block usage of routers.
For authentication I‘m currently running an ssh session on my laptop. I can ping 8.8.8.8 from the router (obviously, I could also ping using a domain name) and I can also ping 8.8.8.8 from my laptop (but I can‘t resolve the DNS query for google)
so it appears to be a DNS issue.
try replacing the router provided DNS IP with 8.8.8.8.
Yes I am. When not using OpenWrt but configuring my MacBook directly it works as well by just keeping an ssh session open in a terminal window in the background.
I‘ll do but the DNS servers did work before.
before you authenticated, or after ?
When I was not using OpenWrt but connecting my MaxBook directly. Interesting fact: The laptop doesn‘t get a DNS server from the router (it did before, you asked me that earlier)
Edit 1:
Before I reset the configuration (and also when bridge was eth0 and eth1) the laptop got 192.168.1.1 as DNS server
well, that could be reason why the DNS resolution isn't working ... 
did you put back the WAN interface DNS IPs after the reset ?
try 8.8.8.8, in the client, for the time being.
When I manually set a DNS on the laptop everything works fine. Would be great if OpenWrt did offer DNS to clients now.
Edit 1:
Forgot my question: What do you mean by
The default configuration will have the router advertise itself (192.168.1.1) as DNS server for LAN DHCP clients. Make sure the laptop is set to be fully automatic DHCP with nothing manually configured.
look at the 2nd screen shot from the top of this thread.
put 8.8.8.8 and 8.8.4.4 there
since you use a static WAN IP, you also have to provide the IP for one or more DNS server.