Maybe reading less but more carefully would be better. 
You can’t have dstnat rules with in-interface=br-wan, they can’t work from inside, because connections will be coming from LAN interface. The best is dst-address=, but if it’s dynamic, you can use dst-address-type=local instead and it will match all local addresses. In case you need those ports also on router, e.g. for management from LAN using WebFig, add additional dst-address=!<192.168.1.x> as exception (where 192.168.1.x is router’s local address; don’t forget “!” which means “not”).