Device can't reach internet even though clients on both VLANs can

I have an interesting problem on a Netgear R6260, with 22.03.5. I'm using it both as a switch/dumb AP for my main network, as well as a router, dhcp, and AP for a second (IOT devices) subnet and wifi network. (Nothing plugged into WAN for simplicity.) The subnet stuff works fine, the routing and firewall works mostly fine, and even DNS is working nicely (using a different default domain for the second network). I have a few Tuya devices on the IOT network that I forbid from accessing my main default gateway and the DNS server, to prevent them from phoning home, but everything else works fine. (If I connect to that network with a computer, as long as I'm not on the forbidden list, I can get to the internet just fine.)

The problem is this: The router itself can't get to the internet! I can ping things, but NTP to the public pool doesn't work, and wget (whether libuclient based or normal wget) fails with "connection refused". (And thus opkg can't update its lists, etc)

Thanks for any help - I've tried searching and reading but nothing appears to apply. The fact that things behind the router can get to the internet, but the router itself can't, is the really puzzling thing.

GNU Wget output:

root@kaleidoscope:~# wget http://downloads.openwrt.org
--2023-10-16 10:04:23--  http://downloads.openwrt.org/
Resolving downloads.openwrt.org... 168.119.138.211, 2a01:4f8:251:321::2
Connecting to downloads.openwrt.org|168.119.138.211|:80... failed: Connection refused.
Connecting to downloads.openwrt.org|2a01:4f8:251:321::2|:80... failed: Network unreachable.

Telling it which interface to bind to does not change anything. Not surprised the IPv6 doesn't work, I don't have IPv6 service.

Routes (br-lan.10 is the IOT vlan)

root@kaleidoscope:~# ip r
default via 10.174.33.254 dev br-lan.1  src 10.174.33.250 
10.10.1.0/24 dev br-lan.10 scope link  metric 101 
10.174.33.0/24 dev br-lan.1 scope link  src 10.174.33.250 

traceroute:

root@kaleidoscope:~# traceroute downloads.openwrt.org
traceroute to downloads.openwrt.org (168.119.138.211), 30 hops max, 46 byte packets
 1  10.174.33.254 (10.174.33.254)  0.045 ms  0.443 ms  0.498 ms
 2  10.174.33.254 (10.174.33.254)  0.585 ms  0.511 ms  0.459 ms

I'm not sure what debug data or config files would be most helpful. here are some config files that felt relevant with minor things redacted.

/etc/config/dhcp:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option ednspacket_max '1232'
	option local '/lan2/'
	option domain 'lan2'
	list address '/asdf.lan/asdf.local/10.174.33.xx'
	option rebind_protection '0'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option dns_service '0'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iotlan'
	option interface 'iotlan'
	option leasetime '12h'
	option start '200'
	option limit '49'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd42:eb42:asdf::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'
	option multicast_querier '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan 'lan_vlan'
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:t'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan 'iot'
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config interface 'iotlan'
	option proto 'static'
	option device 'br-lan.10'
	option netmask '255.255.255.0'
	list dns_search 'lan2'
	option ipaddr '10.10.1.1'
	option gateway '10.174.33.254'
	option dns_metric '101'
	option metric '101'


firewall (yeah my tuya blocking isn't quite right, I forgot I wasn't using wan when I set it up, I need to block the default gateway instead):


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config rule
	option dest 'wan'
	option target 'REJECT'
	option src 'iot'
	list src_ip '10.10.1.99'
	list src_ip '10.10.1.98'
	list src_ip '10.10.1.97'
	option name 'Reject WAN for Tuya, etc'
	list src_mac '4C:11:BF:F4:2C:xx'
	list src_mac '3C:EF:8C:AB:C0:xx'
	list src_mac 'D4:A6:51:4E:28:xx'
	list src_mac 'D4:A6:51:37:C8:xx'
	list src_mac 'D4:A6:51:5F:89:xx'

config rule
	option target 'REJECT'
	option name 'Reject DNS for Tuya'
	option src 'iot'
	list src_ip '10.10.1.99'
	list src_ip '10.10.1.98'
	list src_ip '10.10.1.97'
	list dest_ip '10.10.1.1'
	option dest_port '53'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'iotlan'
	option forward 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'iot'

I don't see masquerading configured. On the other hand no clients should work ...

I'm not trying to NAT, I'm routing between two private subnets/VLANs. I can talk to things on .lan2 (10.10.1.0) from .lan (10.174.33.0) just fine and vice versa. (I have nat on my main router, 10.174.33.254, to get to the internet.)