Ap's cannot reach internet via new router interface

In trying to cleanup my config to deal with another issue I’ve created another dedicated management interface on the router . Both ap’s with static ips on the new network can ping the router and my pc can access both the ap’s . If I limit my pc to this new network (vlan 50) it can reach the internet .

Neither ap (both openwrt) can reach the internet via this new interface .

I’m using the preformatted text option to format this . If it isnt readable please let me know which formatting method I should be using

Here is what I see on 1 of the ap’s

root@ollie:~# opkg update
Downloading https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/kmods/6.6.93-1-ae7dcdf01cb63b83c64f5cb8d8960511/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/kmods/6.6.93-1-ae7dcdf01cb63b83c64f5cb8d8960511/Package
s.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/telephony/Packages.gz

Collected errors:
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/base/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/targets/ramips/mt7621/kmods/6.6.93-1-ae7dcdf01cb63b83c64f5cb8d8960511/Packages.gz, wg
et returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/luci/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.2/packages/mipsel_24kc/telephony/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.

The zone for this network is ‘MNGT’

Subnet 10.10.250.0

vlan 50

interface name MNGT

This has to be something simple .

Here is the router info .

ubus call system board

{
"kernel": "6.6.93",
"hostname": "shadow",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X",
"board_name": "ubnt,edgerouter-x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}

cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd97:0191:ac00::/48'
option packet_steering '2'
option steering_flows '128'

config device
option name 'br-lan'
option type 'bridge'
option acceptlocal '1'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'

config interface 'net_10_10_10'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.10.10.1'
option igmp_snooping '0'
option delegate '0'

config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
option hostname '*'
option dns_metric '5'
list dns '1.0.0.1'
list dns '1.1.1.1'

config device
option name 'eth1'
option eee '0'
option acceptlocal '1'

config device
option name 'eth2'
option eee '0'
option acceptlocal '1'

config device
option name 'eth3'
option eee '0'
option acceptlocal '1'

config device
option name 'eth4'
option eee '0'
option acceptlocal '1'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:t*'
list ports 'eth2:t'
list ports 'eth3:t'
list ports 'eth4:t'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth1:t'
list ports 'eth2:t'
list ports 'eth3:t'
list ports 'eth4:t'

config interface 'net_10_10_20'
option proto 'static'
option device 'br-lan.3'
option ipaddr '10.10.20.1'
option netmask '255.255.255.0'
option ip6ifaceid '::3'
option igmp_snooping '0'

config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'eth1:t'
list ports 'eth3:t'
list ports 'eth4:t'

config interface 'net_10_10_30'
option proto 'static'
option device 'br-lan.5'
option ipaddr '10.10.30.1'
option netmask '255.255.255.0'

config interface 'wg2'
option proto 'wireguard'
option private_key 'sVacSaU5YuyigHs='
list dns '1.1.1.1'
list dns '1.0.0.1'
list addresses '10.73.58.80/32'
option dns_metric '0'
option auto '0'

config wireguard_wg2
option description 'us-atl-wg-001'
option public_key '0TFzf2W5wPAl8EEuJ0t+bzs='
option endpoint_host '45.134.140.130'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '60'
option route_allowed_ips '1'

config device
option name 'eth0'

config interface 'wg3'
option proto 'wireguard'
option auto '0'
option private_key 'oU0f8MtLWjvoP2oNUwQ4NhYWY='
list addresses '10.74.112.178/32'
list dns '1.1.1.1'
list dns '1.0.0.1'

config wireguard_wg3
option description 'us-rag-wg-205'
option public_key 'fOhTNGnNfoP20al/cniyc='
option endpoint_host '23.234.78.2'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '60'

config interface 'wg1'
option proto 'wireguard'
option auto '0'
option private_key 'gj1fpKtsEPxRz1oK08='
list addresses '10.72.99.91/32'
list dns '1.1.1.1'
list dns '1.0.0.1'

config wireguard_wg1
option description 'us-qas-wg-004'
option public_key 'A7zRt9ysI64LjTOx2vmm4='
option persistent_keepalive '60'
list allowed_ips '0.0.0.0/0'
option endpoint_host '198.54.135.130'

config device
option type '8021q'
option ifname 'br-lan'
option vid '7'
option name 'br-lan.7'
option ipv6 '0'

config interface 'net_10_10_40'
option proto 'static'
option device 'br-lan.7'
option ipaddr '10.10.40.1'
option netmask '255.255.255.0'

config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'eth3:t'

config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'eth1:t'
list ports 'eth2:t'
list ports 'eth3:u*'
list ports 'eth4:t'

config interface 'MNGT'
option proto 'static'
option device 'br-lan.50'
option ipaddr '10.10.250.1'
option netmask '255.255.255.0'

cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'vlan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config forwarding
option src 'vlan1'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping-Wan'
option family 'ipv4'
list proto 'icmp'
list icmp_type 'echo-request'
option src 'wan'
option target 'ACCEPT'
option enabled '0'

config rule
option name '3-to-dns-dhcp'
option src 'vlan3'
option dest_port '53 67'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'denon-to-wan'
option dest 'wan'
option target 'REJECT'
option family 'ipv4'
option src 'vlan3'
list src_ip '10.10.20.99'
list proto 'all'

config rule
option name 'MDNS'
list proto 'udp'
option src 'vlan3'
option src_port ' 5353'
list dest_ip '224.0.0.251'
option dest_port ' 5353'
option target 'ACCEPT'
option dest '*'
option family 'ipv4'
option ipset 'MediaPlayers'

config zone
option name 'vlan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'

config forwarding
option src 'vlan3'
option dest 'wan'

config rule
option name 'mediaplayers-to-vlan1'
option src 'vlan3'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option ipset 'MediaPlayers'
option family 'ipv4'
option dest_port '1900 8008 8009 8010 32768-61000'
option dest 'vlan1'

config forwarding
option src 'vlan1'
option dest 'vlan3'

config rule
option name 'beelink-3-to-1'
option src 'vlan3'
option dest 'vlan1'
option target 'ACCEPT'
option family 'ipv4'
list src_mac 'E0:2E:0B:91:E9:07'

config redirect
option target 'DNAT'
option name 'dns-redirect-vlan3'
option family 'ipv4'
option src 'vlan3'
option src_ip '!10.10.20.1'
option src_dport '53'
option dest_ip '10.10.20.1'
option dest_port '53'
option src_dip '!10.10.20.1'
option reflection '0'
list proto 'tcp'
list proto 'udp'
option dest 'vlan3'

config redirect
option target 'DNAT'
option name 'dns-redirect-vlan1'
option family 'ipv4'
option src 'vlan1'
option src_ip '!10.10.10.1'
option src_dip '!10.10.10.1'
option src_dport '53'
option dest_ip '10.10.10.1'
option dest_port '53'
option reflection '0'
list proto 'tcp'
list proto 'udp'
option dest 'vlan1'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan1'
option src 'vlan1'
option src_ip '!10.10.10.1'
option src_dip '!10.10.10.1'
option src_dport '123'
option dest_ip '10.10.10.1'
option dest_port '123'
list proto 'udp'
option reflection '0'
option dest 'vlan1'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan3'
option src 'vlan3'
option src_ip '!10.10.20.1'
option src_dport '123'
option dest_ip '10.10.20.1'
option dest_port '123'
option src_dip '!10.10.20.1'
list proto 'udp'
option reflection '0'
option dest 'vlan3'

config ipset
option name 'ChromeCasts'
option family 'ipv4'
list match 'ip'
list entry '10.10.20.11'
list entry '10.10.20.22'
list entry '10.10.20.35'

config ipset
option name 'MediaPlayers'
option family 'ipv4'
list entry '10.10.20.11'
list entry '10.10.20.22'
list entry '10.10.20.35'
list entry '10.10.20.99'
list entry '10.10.20.12'
list match 'ip'

cat pbr

config pbr 'config'
option enabled '1'
option verbosity '1'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '1'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'

config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.40.0/24 10.10.250.0/24'

config policy
option name 'ntp'
option src_addr '0.0.0.0/0'
option dest_port '123'
option interface 'wan'
option chain 'output'
option proto 'udp'

config policy
option name 'dhcp'
option dest_port '67'
option proto 'udp'
option chain 'output'
option interface 'wan'
option src_addr '0.0.0.0/0'

config policy
option name 'Fire Sticks EtAl'
option interface 'wan'
option src_addr '10.10.20.14 10.10.20.15 10.10.20.37 '

config policy
option name 'Sites Bypass'
option dest_addr 'fabricguru.com '
option interface 'wan'
option src_addr '0.0.0.0/0'

config policy
option name 'ByPass'
option src_addr '0.0.0.0/0'
option dest_addr '0.0.0.0/0'
option interface 'wan'
option enabled '0'

cat https-dns-proxy

config main 'config'
option dnsmasq_config_update '*'
option force_dns '0'
list force_dns_port '53'
list force_dns_port '853'
option procd_trigger_wan6 '0'

config https-dns-proxy
option resolver_url 'https://dns.quad9.net/dns-query'
option bootstrap_dns '9.9.9.9,149.112.112.112'
option listen_addr '127.0.0.1'
option listen_port '5053'
option user 'nobody'
option group 'nogroup'

config https-dns-proxy
option bootstrap_dns '1.1.1.1,1.0.0.1'
option resolver_url 'https://cloudflare-dns.com/dns-query'
option listen_addr '127.0.0.1'
option listen_port '5054'
option user 'nobody'
option group 'nogroup'

That is dangerous better keep the defaults at well default i.e. option input at 'REJECT'

Are the WG interfaces actually working I am missing an endpoint_port at all wg interfaces.

It they are working there is one wg interface (wg2) which has route allowed IPs enabled that should be the default route.

But I am missing any firewall zone which involves the WireGuard interfaces?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

cat /etc/config/dhcp
cat /etc/config/firewall

(and please re-rodmat what your first post.....)

the wg interface in use is wg2 .

my ‘cat firewall’ got truncated . here it is again

cat firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'HID'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'net_10_10_10'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'

config rule
option name 'Allow-Ping-Wan'
list proto 'icmp'
list icmp_type 'echo-request'
option src 'wan'
option target 'ACCEPT'

config rule
option name 'Denon to HID'
option src 'VOT'
list src_ip '10.10.20.26'
option target 'ACCEPT'
option dest 'HID'
list proto 'tcp'
list proto 'udp'
option dest_port '80 443 5020 3813 8080'

config zone
option name 'VOT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'net_10_10_20'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan1'
option src 'HID'
option src_dport '123'
list proto 'udp'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan3'
option src 'VOT'
option src_dport '123'
list proto 'udp'

config rule
option src 'VOT'
option dest 'VOT'
option name 'BlockTovlan3Bridge'
list dest_ip '10.10.20.5'
option target 'DROP'

config rule
option name 'MDNS'
option src '*'
option src_port '5353'
option dest_port '5353'
option target 'ACCEPT'
list proto 'udp'
list dest_ip '224.0.0.251'

config include 'user'
option enabled '1'
option type 'script'
option path '/etc/config/firewall.user'
option fw4_compatible '1'

config rule
option name 'Chromecast Ports '
option src 'VOT'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest_port '8008 8009 8010 32768-61000'
option dest 'HID'
list src_ip '10.10.20.11'
list src_ip '10.10.20.22'
list src_ip '10.10.20.35'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan7'
list proto 'udp'
option src 'CAMERAS'
option src_dport '123'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan50'
list proto 'udp'
option src 'MNGT'
option src_dport '123'

config redirect 'dns_int_1'
option name 'Intercept-DNS vlan1'
option family 'ipv4'
option proto 'tcp udp'
option src 'HID'
option src_dport '53'
option target 'DNAT'

config redirect 'dns_int_3'
option name 'Intercept-DNS vlan3'
option family 'ipv4'
option proto 'tcp udp'
option src 'VOT'
option src_dport '53'
option target 'DNAT'

config zone
option name 'NFS'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'net_10_10_30'

config forwarding
option src 'HID'
option dest 'VOT'

config forwarding
option src 'HID'
option dest 'wan'

config forwarding
option src 'VOT'
option dest 'wan'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'

config zone
option name 'wg2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg2'

config forwarding
option src 'HID'
option dest 'wg2'

config forwarding
option src 'VOT'
option dest 'wg2'

config zone
option name 'wg3'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg3'

config forwarding
option src 'HID'
option dest 'wg3'

config forwarding
option src 'VOT'
option dest 'wg3'

config zone
option name 'wg1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg1'

config forwarding
option src 'HID'
option dest 'wg1'

config forwarding
option src 'VOT'
option dest 'wg1'

config ipset
option name 'FireSticks'
option family 'ipv4'
list match 'src_ip'
list entry '10.10.20.14'
list entry '10.10.20.15'
list entry '10.10.20.17'

config zone
option name 'CAMERAS'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'net_10_10_40'

config redirect
option target 'DNAT'
option name 'intercept-DNS vlan50'
option src 'MNGT'
option src_dport '53'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'

config forwarding
option src 'HID'
option dest 'CAMERAS'

config rule
option name 'Denon Out'
option src 'VOT'
list src_ip '10.10.20.26'
option target 'REJECT'
option dest '*'
option enabled '0'

config ipset
option name 'WANs'
option family 'ipv4'
list match 'dest_mac'
list entry '60:22:32:54:0B:94'

config zone
option name 'MNGT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'MNGT'

config forwarding
option src 'MNGT'
option dest 'wg1'

config forwarding
option src 'MNGT'
option dest 'wg2'

config forwarding
option src 'MNGT'
option dest 'wg3'

config forwarding
option src 'MNGT'
option dest 'wan'

and dhcp

cat dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option local '/evinrude.net/'
option domain 'evinrude.net'
option filterwin2k '1'
option cachesize '10000'
option min_cache_ttl '3600'
option quietdhcp '1'
option confdir '/etc/config/dnsmasq.user'
option dnsforwardmax '500'
list addnmount '/bin/busybox'
option nonegcache '1'
option rebind_localhost '1'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
list notinterface 'wan'
list notinterface 'wg1'
list notinterface 'wg2'
list notinterface 'wg3'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'

config dhcp 'net_10_10_10'
option interface 'net_10_10_10'
option start '10'
option limit '240'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '42,10.10.10.1'
list dhcp_option '6,10.10.10.1'
option force '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'

config host
option name 'linux-laptop'
option dns '1'
option mac 'A0:D3:7A:8D:BC:6A'

config domain
option name 'shadow'
option ip '10.10.10.1'

config domain
option ip '10.10.10.4'
option name 'ollie'

config domain
option name 'timeserver'
option ip '10.10.10.1'

config domain
option ip '10.10.10.8'
option name 'kitten'

config dhcp 'net_10_10_20'
option interface 'net_10_10_20'
option start '10'
option limit '240'
option leasetime '12h'
list dhcp_option '42,10.10.20.1'
list dhcp_option '6,10.10.20.1'
option force '1'

config host
option name 'hs200studiooutside'
option dns '1'
option mac '6C:5A:B0:EE:9B:F1'

config host
option name 'hs200shopoutside'
option dns '1'
option mac '6C:5A:B0:EE:BA:91'

config host
option name 'brotherprinter'
option dns '1'
list mac '60:6D:C7:69:40:EB'
option ip '10.10.20.27'

config host
list mac 'b0:41:6f:0d:14:93'
option ip '10.10.10.5'

config host
option ip '10.10.20.34'
option name 'S10shop'

config domain
option name 'daisy'
option ip '10.10.10.9'

config host
option name 'biscuit'
list mac '00:18:DD:09:13:E3'
option ip '10.10.20.12'

config host
list mac '90:A8:22:51:63:F1'
option ip '10.10.20.15'

config host
list mac '48:78:5E:FE:B3:69'
option ip '10.10.20.14'

config host
list mac '80:4E:70:0A:51:60'
option ip '10.10.10.131'

config host
option name 'EP10-grandpa'
list mac '8C:90:2D:27:71:22'
option ip '10.10.20.90'

config host
option name 'EP10-livingroom'
list mac '8C:90:2D:27:88:86'
option ip '10.10.20.91'

config host
option name 'EP10-library'
list mac '8C:90:2D:27:71:33'
option ip '10.10.20.92'

config host
option ip '10.10.40.10'
list mac 'DC:62:79:DA:44:8B'

config dhcp 'net_10_10_40'
option interface 'net_10_10_40'
option start '20'
option limit '5'
option leasetime '12h'
option force '1'
list dhcp_option '6,10.10.40.1'
list dhcp_option '42,10.10.40.1'

config host
list mac '00:05:CD:DA:92:56'
option ip '10.10.20.26'

config host
option name 'cc-library'
list mac 'E4:F0:42:A1:D2:36'
option ip '10.10.20.11'

config host
list mac '8C:2A:85:00:8C:9A'
option ip '10.10.20.37'

config domain
option name 'C320WSFP'
option ip '10.10.40.10'

config domain
option name 'photos'
option ip '10.10.10.9'

config domain
option name 'elog'
option ip '10.10.10.9'

config domain
option name 'beelink'
option ip '10.10.10.5'

config domain
option name 'webdav'
option ip '10.10.10.9'

config domain
option name 'nfs'
option ip '10.10.30.9'

config domain
option name 'motion'
option ip '10.10.10.7'

config domain
option name 'pi4b'
option ip '10.10.10.7'

config dhcp 'MNGT'
option interface 'MNGT'
option start '100'
option limit '150'
option leasetime '12h'

Please mark all text from each file and mark as a code box using </> button above.

this is where I keep having a problem . I high light the text and then hit </> . What else should i do ? Is it possible firefox is causing an issue ?

I dont know
works for me

Make sure you're in "Markdown mode" before you start writing. Make sure you're on a new line, then hit the </> button the formatting bar. It will insert

type or paste code here

where the above is between two sets of three tick marks (```).

Paste your output in the middle (replacing "type or paste code here")

ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "shadow",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X",
        "board_name": "ubnt,edgerouter-x",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}
 
/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd97:0191:ac00::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        option acceptlocal '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'net_10_10_10'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.10.10.1'
        option igmp_snooping '0'
        option delegate '0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        option hostname '*'
        option dns_metric '5'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config device
        option name 'eth1'
        option eee '0'
        option acceptlocal '1'

config device
        option name 'eth2'
        option eee '0'
        option acceptlocal '1'

config device
        option name 'eth3'
        option eee '0'
        option acceptlocal '1'

config device
        option name 'eth4'
        option eee '0'
        option acceptlocal '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:t*'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth1:t'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4:t'

config interface 'net_10_10_20'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.10.20.1'
        option netmask '255.255.255.0'
        option ip6ifaceid '::3'
        option igmp_snooping '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'eth1:t'
        list ports 'eth3:t'
        list ports 'eth4:t'

config interface 'net_10_10_30'
        option proto 'static'
        option device 'br-lan.5'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

config interface 'wg2'
        option proto 'wireguard'
        option private_key ''
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list addresses '10.73.58.80/32'
        option dns_metric '0'
        option auto '0'

config wireguard_wg2
        option description 'us-atl-wg-001'
        option public_key ''
        option endpoint_host '45.134.140.130'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '60'
        option route_allowed_ips '1'

config device
        option name 'eth0'

config interface 'wg3'
        option proto 'wireguard'
        option auto '0'
        option private_key ''
        list addresses '10.74.112.178/32'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config wireguard_wg3
        option description 'us-rag-wg-205'
        option public_key ''
        option endpoint_host '23.234.78.2'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '60'

config interface 'wg1'
        option proto 'wireguard'
        option auto '0'
        option private_key ''
        list addresses '10.72.99.91/32'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config wireguard_wg1
        option description 'us-qas-wg-004'
        option public_key ''
        option persistent_keepalive '60'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '198.54.135.130'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '7'
        option name 'br-lan.7'
        option ipv6 '0'

config interface 'net_10_10_40'
        option proto 'static'
        option device 'br-lan.7'
        option ipaddr '10.10.40.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'eth3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'eth1:t'
        list ports 'eth2:t'
        list ports 'eth3:u*'
        list ports 'eth4:t'

config interface 'MNGT'
        option proto 'static'
        option device 'br-lan.50'
        option ipaddr '10.10.250.1'
        option netmask '255.255.255.0'

 
/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option local '/evinrude.net/'
        option domain 'evinrude.net'
        option filterwin2k '1'
        option cachesize '10000'
        option min_cache_ttl '3600'
        option quietdhcp '1'
        option confdir '/etc/config/dnsmasq.user'
        option dnsforwardmax '500'
        list addnmount '/bin/busybox'
        option nonegcache '1'
        option rebind_localhost '1'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list notinterface 'wan'
        list notinterface 'wg1'
        list notinterface 'wg2'
        list notinterface 'wg3'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config dhcp 'net_10_10_10'
        option interface 'net_10_10_10'
        option start '10'
        option limit '240'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '42,10.10.10.1'
        list dhcp_option '6,10.10.10.1'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '3'

config host
        option name 'linux-laptop'
        option dns '1'
        option mac 'A0:D3:7A:8D:BC:6A'

config domain
        option name 'shadow'
        option ip '10.10.10.1'

config domain
        option ip '10.10.10.4'
        option name 'ollie'

config domain
        option name 'timeserver'
        option ip '10.10.10.1'

config domain
        option ip '10.10.10.8'
        option name 'kitten'

config dhcp 'net_10_10_20'
        option interface 'net_10_10_20'
        option start '10'
        option limit '240'
        option leasetime '12h'
        list dhcp_option '42,10.10.20.1'
        list dhcp_option '6,10.10.20.1'
        option force '1'

config host
        option name 'hs200studiooutside'
        option dns '1'
        option mac '6C:5A:B0:EE:9B:F1'

config host
        option name 'hs200shopoutside'
        option dns '1'
        option mac '6C:5A:B0:EE:BA:91'

config host
        option name 'brotherprinter'
        option dns '1'
        list mac '60:6D:C7:69:40:EB'
        option ip '10.10.20.27'

config host
        list mac 'b0:41:6f:0d:14:93'
        option ip '10.10.10.5'

config host
        option ip '10.10.20.34'
        option name 'S10shop'

config domain
        option name 'daisy'
        option ip '10.10.10.9'

config host
        option name 'biscuit'
        list mac '00:18:DD:09:13:E3'
        option ip '10.10.20.12'

config host
        list mac '90:A8:22:51:63:F1'
        option ip '10.10.20.15'

config host
        list mac '48:78:5E:FE:B3:69'
        option ip '10.10.20.14'

config host
        list mac '80:4E:70:0A:51:60'
        option ip '10.10.10.131'

config host
        option name 'EP10-grandpa'
        list mac '8C:90:2D:27:71:22'
        option ip '10.10.20.90'

config host
        option name 'EP10-livingroom'
        list mac '8C:90:2D:27:88:86'
        option ip '10.10.20.91'

config host
        option name 'EP10-library'
        list mac '8C:90:2D:27:71:33'
        option ip '10.10.20.92'

config host
        option ip '10.10.40.10'
        list mac 'DC:62:79:DA:44:8B'

config dhcp 'net_10_10_40'
        option interface 'net_10_10_40'
        option start '20'
        option limit '5'
        option leasetime '12h'
        option force '1'
        list dhcp_option '6,10.10.40.1'
        list dhcp_option '42,10.10.40.1'

config host
        list mac '00:05:CD:DA:92:56'
        option ip '10.10.20.26'

config host
        option name 'cc-library'
        list mac 'E4:F0:42:A1:D2:36'
        option ip '10.10.20.11'

config host
        list mac '8C:2A:85:00:8C:9A'
        option ip '10.10.20.37'

config domain
        option name 'C320WSFP'
        option ip '10.10.40.10'

config domain
        option name 'photos'
        option ip '10.10.10.9'

config domain
        option name 'elog'
        option ip '10.10.10.9'

config domain
        option name 'beelink'
        option ip '10.10.10.5'

config domain
        option name 'webdav'
        option ip '10.10.10.9'

config domain
        option name 'nfs'
        option ip '10.10.30.9'

config domain
        option name 'motion'
        option ip '10.10.10.7'

config domain
        option name 'pi4b'
        option ip '10.10.10.7'

config dhcp 'MNGT'
        option interface 'MNGT'
        option start '100'
        option limit '150'
        option leasetime '12h'

 
/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'HID'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'net_10_10_10'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping-Wan'
        list proto 'icmp'
        list icmp_type 'echo-request'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option name 'Denon to HID'
        option src 'VOT'
        list src_ip '10.10.20.26'
        option target 'ACCEPT'
        option dest 'HID'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '80 443 5020 3813 8080'

config zone
        option name 'VOT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'net_10_10_20'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan1'
        option src 'HID'
        option src_dport '123'
        list proto 'udp'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan3'
        option src 'VOT'
        option src_dport '123'
        list proto 'udp'

config rule
        option src 'VOT'
        option dest 'VOT'
        option name 'BlockTovlan3Bridge'
        list dest_ip '10.10.20.5'
        option target 'DROP'

config rule
        option name 'MDNS'
        option src '*'
        option src_port '5353'
        option dest_port '5353'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '224.0.0.251'

config include 'user'
        option enabled '1'
        option type 'script'
        option path '/etc/config/firewall.user'
        option fw4_compatible '1'

config rule
        option name 'Chromecast Ports '
        option src 'VOT'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '8008 8009 8010 32768-61000'
        option dest 'HID'
        list src_ip '10.10.20.11'
        list src_ip '10.10.20.22'
        list src_ip '10.10.20.35'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan7'
        list proto 'udp'
        option src 'CAMERAS'
        option src_dport '123'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan50'
        list proto 'udp'
        option src 'MNGT'
        option src_dport '123'

config redirect 'dns_int_1'
        option name 'Intercept-DNS vlan1'
        option family 'ipv4'
        option proto 'tcp udp'
        option src 'HID'
        option src_dport '53'
        option target 'DNAT'

config redirect 'dns_int_3'
        option name 'Intercept-DNS vlan3'
        option family 'ipv4'
        option proto 'tcp udp'
        option src 'VOT'
        option src_dport '53'
        option target 'DNAT'

config zone
        option name 'NFS'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'net_10_10_30'

config forwarding
        option src 'HID'
        option dest 'VOT'

config forwarding
        option src 'HID'
        option dest 'wan'

config forwarding
        option src 'VOT'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'wg2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg2'

config forwarding
        option src 'HID'
        option dest 'wg2'

config forwarding
        option src 'VOT'
        option dest 'wg2'

config zone
        option name 'wg3'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg3'

config forwarding
        option src 'HID'
        option dest 'wg3'

config forwarding
        option src 'VOT'
        option dest 'wg3'

config zone
        option name 'wg1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg1'

config forwarding
        option src 'HID'
        option dest 'wg1'

config forwarding
        option src 'VOT'
        option dest 'wg1'

config ipset
        option name 'FireSticks'
        option family 'ipv4'
        list match 'src_ip'
        list entry '10.10.20.14'
        list entry '10.10.20.15'
        list entry '10.10.20.17'

config zone
        option name 'CAMERAS'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'net_10_10_40'

config redirect
        option target 'DNAT'
        option name 'intercept-DNS vlan50'
        option src 'MNGT'
        option src_dport '53'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'

config forwarding
        option src 'HID'
        option dest 'CAMERAS'

config rule
        option name 'Denon Out'
        option src 'VOT'
        list src_ip '10.10.20.26'
        option target 'REJECT'
        option dest '*'
        option enabled '0'

config ipset
        option name 'WANs'
        option family 'ipv4'
        list match 'dest_mac'
        list entry '60:22:32:54:0B:94'

config zone
        option name 'MNGT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'MNGT'

config forwarding
        option src 'MNGT'
        option dest 'wg1'

config forwarding
        option src 'MNGT'
        option dest 'wg2'

config forwarding
        option src 'MNGT'
        option dest 'wg3'

config forwarding
        option src 'MNGT'
        option dest 'wan'

 
/etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '1'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.40.0/24 10.10.250.0/24'

config policy
        option name 'ntp'
        option src_addr '0.0.0.0/0'
        option dest_port '123'
        option interface 'wan'
        option chain 'output'
        option proto 'udp'

config policy
        option name 'dhcp'
        option dest_port '67'
        option proto 'udp'
        option chain 'output'
        option interface 'wan'
        option src_addr '0.0.0.0/0'

config policy
        option name 'Fire Sticks EtAl'
        option interface 'wan'
        option src_addr '10.10.20.14 10.10.20.15 10.10.20.37  '

config policy
        option name 'Sites Bypass'
        option dest_addr 'fabricguru.com '
        option interface 'wan'
        option src_addr '0.0.0.0/0'

config policy
        option name 'ByPass'
        option src_addr '0.0.0.0/0'
        option dest_addr '0.0.0.0/0'
        option interface 'wan'
        option enabled '0'

What is the purpose of tagging all VLANs on all ports? Is it like multi-ap extenders? Any other switch in the middle?

I have 5 devices all with trunked vlan ports connected to the switch

I got it to work .
On the AP I left off the setting for "use custom dns servers -> 10.10.250.1' .

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.