SSH via WiFi blocked by firewall

While connect via wlan your lan Ethernet link must be idle or not connected ? Isn't ?

When wlan connection is active, ethernet is not connected.

so why are you bothered by this interface ??
when you are connected via wifi

(in dhcp mode )```
when connected via wlan how are you getting dhcp ip on lan ??

Lets clarify.
I would like to have 2 different configs, and they are not going to be used in the same time of course.
First one is with dhcp IP and that config works fine, no matter if it wifi or ethernet connection.
So lets leave dhcp config for a while.

Second config is with static IP.
I would like to have possibility to easily switch between ethernet and wifi connections without changing anything in config. Now it looks like this:
/etc/config/network

        option ifname           'lo'                 
        option proto            'static'             
        option ipaddr           '127.0.0.1'          
        option netmask          '255.0.0.0'          
                                                     
config globals 'globals'                             
        option ula_prefix       'fdd3:9a1a:c9d9::/48'
                                                     
config interface 'lan'                
        option  ifname          'eth0 eth1'
		option	type			'bridge'
        option  proto           'static'        
        option  ipaddr          '192.168.2.88'        
        option  netmask         '255.255.252.0'        
        option  gateway         '192.168.2.1'  
        list    dns             '192.168.2.1'  
        list    dns             '8.8.8.8'              
                                                       
config interface 'wlan'                            
        option  proto           'static'        
        option  ipaddr          '192.168.2.89'        
        option  netmask         '255.255.255.0'        
        option  gateway         '192.168.2.1'  
        list    dns             '192.168.2.1'  
        list    dns             '8.8.8.8'
                                      
config interface 'wan' 
        option  ifname           'eth1'     
        option  proto           'dhcp'
        option  ipv6            'auto'

It is working (no matter if wifi or ethernet connection), but look at the netmasks.
It makes sense to you?

@arjuniet
Did you see my latest reply?
Do you have any comment?
Later we can switch to my DHCP config variant to finally confirm its correctness.

During wifi link & your dhcp config to work properly table must be
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0
192.168.2.0 * 255.255.255.0 U 0 0 0 br-lan < it shouldnt be here as
192.168.2.0 * 255.255.255.0 U 0 0 0 wlan0

During wifi link & your static config to work properly table must be
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0
192.168.0.0 * 255.255.252.0 U 0 0 0 br-lan here also it shouldnt be here
192.168.0.0 * 255.255.252.0 U 0 0 0 wlan0

it is because the bridge is up all the way even when eth interfaces are down

when you change mask it worked
192.168.0.0 * 255.255.252.0 U 0 0 0 br-lan
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0 . < it is given priority as its prefix lenth is more its a preferred route

so during static dont configure same mast on both br-lan

let me know what all problems are left with your setup

default 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0 or br-lan
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0 . or br-lan

For proper working this must be the routing table two routes\

i still doubt that this is not what you are exactly trying to achieve

do you want . HA or sumthing ?