Access point sometimes not having internet due to VLANs?

I have set up:

• 192.168.1.1 is my OpenWrt router
• 192.168.1.2 is a Wi-Fi Extender/Repeater with Bridged AP over Ethernet
• 192.168.1.3 is a Wi-Fi Extender/Repeater with Bridged AP over Ethernet

192.168.1.1 provides two VLAN's: vlan 10 is the LAN network with internet connectivity, vlan 20 is the IOT network without internet connectivity. IP's are handed out via DHCP from the OpenWrt router.

I have noticed that sometimes, 192.168.1.2 and 192.168.1.3 can't ping openwrt.org, and sometimes it can. I think that this has something to do with these devices being on two VLANs, one having internet and not having internet.

I would like to know what's happening here, and how I can make sure that these devices always have access to the internet.

Relevant config files:

192.168.1.2 - /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd21:10f0:4ff1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'dhcp'
	option hostname 'openwrt-kelder-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2t 3 4 5'
	option vid '10'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 2t'
	option vid '20'
	option description 'iot'

config device
	option type 'bridge'
	option name 'br-lan.10'
	list ports 'eth0.10'

config device
	option type 'bridge'
	option name 'br-lan.20'
	list ports 'eth0.20'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-lan.20'
	option hostname 'openwrt-kelder-iot'

192.168.1.2 - /etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

192.168.1.3 - /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd21:10f0:4ff1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'dhcp'
	option hostname 'openwrt-zolder-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2t 3 4 5'
	option vid '10'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 2t'
	option vid '20'
	option description 'iot'

config device
	option type 'bridge'
	option name 'br-lan.10'
	list ports 'eth0.10'

config device
	option type 'bridge'
	option name 'br-lan.20'
	list ports 'eth0.20'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-lan.20'
	option hostname 'openwrt-zolder-iot'

192.168.1.3 - /etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

what does the following command show you?

cat /etc/resolv.conf

What is the specific model of your routers and APs?

I assume this from your previous posts:

How are they connected in star or cascade?

star:

cascade:

ps: I can advise you to make the following changes to the configuration files:

on the ap 192.168.1.2 and on 192.168.1.3:

1. change the dhcp protocol to static ip on the lan interface
   as it would be better if AP dumps have a pre-defined IP address regardless of the main router (just my personal opinion)

2. change the dhcp protocol to none on the iot interface
   as I assume there is no reason for an IP address to be assigned on the iot/guest vlans of the AP dumps (unless you have some service that needs to be delivered on that specific vlan)

example: 192.168.1.2

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd21:10f0:4ff1::/48'
	option packet_steering '1'

# this lines is probably useless do you have a vlan1 on the
# main router? but before making changes also show the
# main router configuration
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
# this lines is probably useless do you have a vlan1 on the
# main router? but before making changes also show the
# main router configuration


config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
	option hostname 'openwrt-kelder-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2t 3 4 5'
	option vid '10'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 2t'
	option vid '20'
	option description 'iot'

config device
	option type 'bridge'
	option name 'br-lan.10'
	list ports 'eth0.10'

config device
	option type 'bridge'
	option name 'br-lan.20'
	list ports 'eth0.20'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.20'
	option hostname 'openwrt-kelder-iot'

3. disable the firewall, dnsmasq, odhcpd

service firewall disable
service firewall stop

service dnsmasq disable
service dnsmasq stop

service odhcpd disable
service odhcpd stop

as it is better that these services are centralized on 192.168.1.1
(just my personal opinion)

show this:

I quote from the document:
"As an AP, the device will not perform any duties beyond simply bridging Ethernet and Wifi. That is to say that it will not be responsible for routing, firewall, DHCP, or DNS, as these are performed by the upstream router and/or other device(s). Wireless clients connecting to the AP will get an IP address from the DHCP server already running on the network, and will send traffic to the existing router to reach the internet. "

Thank you for your extensive research and answer. cat /etc/resolv.conf outputs this on every device:

search lan
nameserver 127.0.0.1
nameserver ::1

I think that you are spot on with changing the DHCP protocol to None (Unmanaged) on the IOT interface of the AP's.

I also disabled the firewall, dnsmasq and odhcpd. I will see if this solves the problem.

Thank you very much again for spending the time to write such an elaborate answer.