I don't see anything out of ordinary:
No firewall rules (except nat masq) => all is ACCEPTed
routing table no non-default entries: so should include connected routes for each network + default gateway from dhcp-client
=> please verify that?
So, should be working as is.
Few other remarks to look into later, but non-blocking:
* there is no need for a bridge with only 1 device in it
* interface list isn't in sync with bridge config, but currently not used
* dhcp pool naming scheme <> dhcp-server naming scheme???