Solved by redoing what was wrong. Attached a wifi interface, remapped the IPs onto that one, cleared IP off the eth0, and added it to br-ex, restarted all the services. Confirmed that the instances can ping the router internal and external address, added routes for network range wrapping the external network subset, reduced the MTU to be able to ssh into instances. Works.