At work, one of our VPN routers has been stuck behind one of AT&T's magnificent 2wire router-modems: so magnificent in fact that they babysit your connection to see if you put another router behind it. That babysitting might be useful, except their special "NAT Plus" confuses the hell out of OpenWRT. The original setup worked for 2-3 days, then the gateway started failing to resolve anything non-IPv6. Bridge mode normally avoids this kind of issue, but AT&T support for it is rather poor, and the site's 3000 miles away: you do what you can.
1. Gateway IP/mdc (i.e. http://192.168.0.254/mdc): use this for a cleaner configuration layout. I disabled the router-behind-router detection in local network settings, and set the DNS servers to the OpenDNS pair (126.96.36.199 / 188.8.131.52). I also added firewall exceptions for the device detected as our router for DNS, our VPN software, and SSH (so I could access our router remotely).
2. Our OpenWRT router: set the WAN port to DHCP, the local DHCP setup to our internal DNS servers, and the dnsmasq setup to make sure its passing along our internal domain name.
In other words, setup the AT&T with a working DNS pair, set its firewall to redirect DNS and VPN queries to your own router, and set your router to hand out local DHCP with whatever you'd normally use for DNS.