Yeah, but you labeled it as wan and I noticed it was a local IP address and I assumed ETH1 was just for the WIFI router and I did not understand you had isolated the two; I thought you had somehow gotten the PI to see all that with one connection because I was caught up with another thread that was trying to do the same thing on one port and their wifi on Starlink.
I still do not understand how DNS requests from 192.168.2.x are getting routed by 192.168.1.0 but after reading your posts, a few times, I'm guessing you are using MASQUERADE and PREROUTING to make it happen.
I get the concept, but my Linux is not that good.
I linked to your post and just started asking questions.
edit
See if you can help this person: