The WAN port is now working like a LAN port. Now I need to see if there is anything else I need to do.
I added this script:
# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
if /etc/init.d/"$i" enabled; then
/etc/init.d/"$i" disable
/etc/init.d/"$i" stop
fi
done
rm /usr/sbin/wpa_supplicant
I am looking into multicast.
There is no need for this script. I would recommend against using it.
The dumb AP should be entirely transparent.... multicast will not be affected unless you set a few optoins on the wifi config that are there to limit it.
Thankyou. The router is up and running again. I tested it out and I am still getting the captive portal pop up.
Great!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
The router is now working with a valid configuration. I still have my original problem. The phones connecting to it bring up a captive portal. This did not happen before I updated OpenWRT.
At this point, I don't believe that this is related to the OpenWrt router. But let's review the final configs again:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ubus call system board
{
"kernel": "5.15.134",
"hostname": "Router",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Linksys EA8500 WiFi Router",
"board_name": "linksys,ea8500",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ab12:cd34:ab12::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config device
option name 'eth1.1'
option macaddr 'A1:B2:C3:D4:A1:B2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.100'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config device
option name 'eth0.2'
option macaddr 'A1:B2:C3:D4:A1:B2'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option auto '0'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '11'
option band '2g'
option htmode 'HT40'
option txpower '10'
option cell_density '0'
option noscan '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Router2.4'
option encryption 'sae-mixed'
option key 'editedofcourse'
option wpa_disable_eapol_key_retries '1'
option macfilter 'allow'
list maclist 'AB:12:34:56:78:9C'
list maclist 'AB:12:34:56:78:9C'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option txpower 'default'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Router5'
option encryption 'sae-mixed'
option key 'editedofcourse'
option wpa_disable_eapol_key_retries '1'
option macfilter 'allow'
list maclist 'AB:12:34:56:78:9C'
list maclist 'AB:12:34:56:78:9C'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Try running wap2 (psk2) encryption instead of sae-mixed. Mixed mode tends to cause problems with a lot of different devices.
Remove this line, too.
And this could well be part of the issue, too. I'd recommend removing the macfilter.
Make these changes on both radios and try again.
Where exactly in the interface would I set option 114?
I tried editing those and none of them fix the problem.
If you unplug this ap and connect to the same upstream network, does the captive portal message appear?
This would need to be set in the upstream dhcp server. Do you have the ability to configure that dhcp server?
Yes, it is a Pfsense server. I haven't updated it recently so nothing should have changed with it.
This AP is what gives me wifi so I can't connect a phone to it without this access point.
I suspect that the problem is on the pfsense system. We need to prove/disprove this — the only way to do so is to bypass the openwrt system.
Do you have another ap you can make into a dumb ap? Or a usb Ethernet adapter that you can plug into your phone?
A bit of context that might help:
Just about all operating systems and browsers these days, have a built in functionality to try to detect if a captive portal is present, and take the user to a web page for logging in if a portal is detected.
This is a de-facto standard that has developed over many years and is known by various names, the most common being CPD (Captive Portal Detection) and "Captive Portal Canary Test ".
When a device connects to a wireless network, the CPD tests a very specific http, port 80, URL and checks for a specific response. The actual url can, and does, vary depending on vendor, os release version etc.
Many Android devices use a url based on the google.com fqdn.
Apple devices, of course, use a url based on the apple.com fqdn.
There is also now a "proper" documented standard (rfc8910 combined with rfc 8908) known as CPI (Captive Portal Identification), but this is not universally supported and where it is, is subject to interpretation, so tends to not be supported by captive portal applications, at least not yet.
It is CPI that uses option 114 as mentioned by @mk24
Now back to your issue.
There are, as @psherman has pointed out, numerous issues with your config. These may or may not be contributing to your issue, but are well worth fixing anyway.
This indicates that the device(s) are indeed doing the CPD test to a url based on the google.com fqdn, as they are designed to do.
The blank screen indicates there is no actual portal page (because you do not have a captive portal anywhere), but does indicate that the google.com fqdn is blocked somewhere.
What happens if you try to go to www.google.com?
AFAIK GraphineOS has CPD disabled by default.
For future people that read this. I found Pfblocker was blocking the Google internet connectivity domains. GrapheneOS was not effected because they use their own connectivity domains. I am currently looking into how to do a redirect to server that throws the 204 status the connectivity check needs while not being blocked by Pfblocker.
On a side note, I cannot believe LineageOS did not change their connectivity checks to alternative servers. Google can literally track people with connectivity checks.