[SOLVED] Guest wifi on bridged AP

I have a TP-Link TL-WDR4300 v1 (OpenWrt 18.06.1).

I use this device just as an AP and have a T-Com Hybrid router serving Internet Access and DHCP. The TP-Link is configured as Bridge for eth0.1 and both wifi interfaces. So far so good.

Now i try to set up a guest wifi with a different IP range and an own DHCP on the TP-Link. I tried several Tutorials for guest wifis but was not able to find one, which really covers my use case. When i extend the bridge to also cover the new guest wifi the new DHCP does not serve new devices and i am just directly connected to the main network. And if i don't add the guest wifi to the bridge i am not able to configure the firewall get internet provided.

At first glance it seemed like a basic task but i am not able to set this up.

Is that even possible? And what are the steps to get that running?

Thanks in advance.

Try enabling Masquerading and MSS clamping on the lan interface which acts as the wan interface for the guest network, if you haven't done already.

Yes, did that. Didn't help. DHCP is working, that's it. Don't get any traffic to the router. Currently i am totally confused, Tried almost any possible setting. With and without a VLAN... i am clueless...

Does the T-Com support vlans and multiple DHCP server instances?
If so, you could create a second vlan to be your guest, which will be a bridge of eth0.X and the guest wifi. The TP-Link still remains a dumb AP, it just has 2 SSIDs that are bridged to different vlans on eth0 port.

Unfortunately not.
Shouldn't there be a simple solution i just don't see.
The Task "Having a separate guest Network providing Internet via external router" sounds so easy...

The method @mikma suggested should work.
Post the configs here to see what could be the mistake.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config rule
	option src 'guest'
	option target 'DROP'
	option dest_port '80'
	option name 'Disable Guest AP HTTP Access'

config rule
	option src 'guest'
	option name 'Disbale Guest AP SSH Access'
	option dest_port '22'
	option target 'DROP'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config forwarding
	option dest 'lan'
	option src 'guest'

config redirect
	option target 'SNAT'
	option src 'guest'
	option dest 'lan'
	option proto 'all'
	option src_dip '192.168.2.2'
	option name 'Guest'

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ar934x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'private'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'HT20'
	option txpower '17'
	option country 'US'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'private'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'gast'
	option encryption 'psk2'
	option key 'yyy'
	option network 'guest'

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:45b4:3dfd::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.2'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option type 'bridge'
	option netmask '255.255.255.0'

In network remove the bridge from the Guest interface, it should only on the gast ssid network. Also post the dhcp configuration. In there, there has to be configuration for DHCP under the Guest interface.

In firewall config:
Remove mtu fix for LAN zone. In the Advanced Settings of zone LAN, Restrict Masquerading to source 192.168.3.0/24
Remove the SNAT.
The default INPUT for the Guest is Reject, so you don't need the rules to drop 22, 80 from guest. You have the DHCP and DNS correct, just make sure that the dnsmasq works on the Openwrt.

Are you connected to the T-Com through a LAN port or the WAN? My guess is via the LAN, just want to make sure.
If this works, you can later add a REJECT rule to forbid the Guest zone to access anything other than the T-Com in your LAN.

Thanks so far.
Yes, the DHCP is configured, see below. But now i don't even get a DHCP lease...
T-Com is connected via LAN.
This is the current config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'
	list masq_src '192.168.3.0/24'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config forwarding
	option dest 'lan'
	option src 'guest'

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:45b4:3dfd::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.2'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ar934x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'Com-Con'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'HT20'
	option txpower '17'
	option country 'US'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'Com-Con'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'gast'
	option encryption 'psk2'
	option key 'yyy'
	option network 'guest'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '0'
	option nonwildcard '0'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option interface 'guest'
	option limit '199'

Remove these from Guest zone in firewall.

Reduce that to 150. It is not the final address, but the pool size.

Run a logread -f | grep dnsmasq and restart the dnsmasq to verify that it starts without errors. You can paste the output here.

root@OpenWrt:~# logread -f | grep dnsmasq
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21696]: exiting on receipt of SIGTERM
Sat Aug 18 11:27:05 2018 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Sat Aug 18 11:27:05 2018 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: started, version 2.80test3 cachesize 150
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain test
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain onion
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain localhost
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain local
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain invalid
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain bind
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: using local addresses only for domain lan
Sat Aug 18 11:27:05 2018 daemon.warn dnsmasq[21828]: no servers found in /tmp/resolv.conf.auto, will retry
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: read /etc/hosts - 1 addresses
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: read /tmp/hosts/odhcpd - 0 addresses
Sat Aug 18 11:27:05 2018 daemon.info dnsmasq[21828]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses

Ok, a reboot made the DHCP work. But still no further connection/internet...

To get started in the firewall, you only need a guest firewall zone (accept input and accept output), forwarding guest->lan, and masq / mtu_fix enabled on LAN.

Once you have that working then you can put the other rules back to tighten the firewall.

I like to set up guest as a bridge even if it only has one WiFi AP in it.

You haven't configured any DNS for the device. Add one in LAN interface.

Expected this to be provided by the router. But i also tried that with different DNS servers (google, opendns, ...) configured on this device. Doesn't work either. I am not even able to ping a DNS server when connected.

It is provided by the router, but you need to configure the router for the upstream nameservers. The default configuration of the dnsmasq is to forward the requests and cache the replies.

1. Post once again all the current configurations as they are now.
2. Install tcpdump and run the following command to capture the packets from the previous command tcpdump -i any -vn host 8.8.8.8 or host 1.1.1.1
3. Run a tracert (or traceroute or tracepath or mtr) on a host connected in Guest towards 8.8.8.8 or 1.1.1.1

You can stop the capture with Ctrl-c. Paste the output here.

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '0'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option interface 'guest'
        option limit '150'

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ar934x_wmac'
        option htmode 'HT20'
        option country 'US'
        option legacy_rates '1'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'Com-Con'
        option encryption 'psk2'
        option key 'xxx'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'HT20'
        option txpower '17'
        option country 'US'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'Com-Con'
        option encryption 'psk2'
        option key 'xxxi'
        option network 'lan'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'gast'
        option encryption 'psk2'
        option key 'yyy'
        option network 'guest'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd90:45b4:3dfd::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.2'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4 5'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option dns '208.67.222.220'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'
        list masq_src '192.168.3.0/24'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option output 'ACCEPT'
        option name 'guest'
        option network 'guest'
        option forward 'ACCEPT'
        option input 'REJECT'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Guest DHCP'
        option src 'guest'

config forwarding
        option dest 'lan'
        option src 'guest'

root@OpenWrt:~# tcpdump -i any -vn host 8.8.8.8 or host 1.1.1.1
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:21:53.562074 IP (tos 0x0, ttl 1, id 15138, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:53.562406 IP (tos 0x0, ttl 1, id 64083, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:53.562647 IP (tos 0x0, ttl 1, id 31433, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.559475 IP (tos 0x0, ttl 2, id 61955, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.559778 IP (tos 0x0, ttl 2, id 35433, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.560016 IP (tos 0x0, ttl 2, id 41802, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566274 IP (tos 0x0, ttl 3, id 39907, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566591 IP (tos 0x0, ttl 3, id 1730, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566825 IP (tos 0x0, ttl 3, id 60329, offset 0, flags [none], proto UDP (17), length 48)
    192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20

One thing i find a bit suspicious (at least from my understanding).
Does this make sense:

config forwarding
        option src 'lan'
        option dest 'wan'

Forwarding lan -> wan.... since wan is not connected at all. And lan is just the bridge.

But removing didn't help either...

Another thing to mention:
The OpenWRT device itself has no connection to the internet. Figured that out while installing tcpdump, which was not possible (copied the packages manually onto the device).

Don't know if that's important...

Very important.
How do you expect the clients connected to the router to have internet, if the router doesn't in the first place?
Under interface LAN add a default gateway with the address of the T-Com (I suppose it is 192.168.2.1)

Removing the WAN zone won't hurt.