DHCP failure: unable to obtain IP address on new VLAN

Hi all,

I have a NanoPi R4S which I set up a few years ago. It's running OpenWrt 23.05.2 and has been wonderfully stable.

I set up a few VLANS (VLAN 20, 30, 40, 50) previously as per this thread and they have been working fine.

I have tried to add a new VLAN (VLAN 25) for a specific new wifi SSID which will only have two devices in it, which will not connect to the WAN. However, when connecting test devices to the new wifi SSID, they fail to obtain an IP address, which I believe indicates a DHCP failure.

I have searched the forums and google to find answers, but I cannot work out where it is going wrong. Often other threads are using bridge networks (?as they are using their devices' wifi onboard), so I find it difficult to translate any solutions to my setup.

Of note, I have the adlbock and banIP packages installed, as well as SQM. I do not think they are interfering at all with the new VLAN.

I have also created another new VLAN (VLAN11) which is for a future project and I haven't tested it yet!

Network topology:
ONT on the wall (FTTH) --> R4S (OpenWrt) ---> multiple managed switches and APs (TP-Link Omada, controlled by SDN).

All the old VLANS are working perfectly, no issues.

Please see below for my config files for network, dhcp and firewall and enlighten me where it's all going wrong!

cat /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:snip::/48'

config device
	option name 'eth1'
	option macaddr ‘address removed’

config device
	option name 'eth0'
	option macaddr 'address removed

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option password ‘removed’
	option peerdns '0'
	option ipv6 'auto'
	option username ‘removed’
	list dns '127.0.0.1'

config interface 'LAN'
	option proto 'static'
	option device 'eth1'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'VLAN11'
	option proto 'static'
	option device 'eth1.11'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

config interface 'VLAN20'
	option proto 'static'
	option device 'eth1.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'VLAN25'
	option proto 'static'
	option device 'eth1.25'
	option ipaddr '192.168.25.1'
	option netmask '255.255.255.0'

config interface 'VLAN30'
	option proto 'static'
	option device 'eth1.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'VLAN40'
	option proto 'static'
	option device 'eth1.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

config interface 'VLAN50'
	option proto 'static'
	option device 'eth1.50'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

cat /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option proxydnssec '1'
	list server '127.0.0.1#5453'
	option noresolv '1'
	option localuse '0'
	option port '1053'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'raspberrypi'
	option ip 'address removed'
	option mac ‘address removed’

config host
	option name 'EAP245-46'
	option ip 'address removed'
	option mac 'address removed’

config host
	option name 'TL-SG2210P'
	option ip 'address removed'
	option mac 'address removed'

config host
	option name 'EAP245-5D'
	option ip 'address removed'
	option mac 'address removed'

config host
	option name 'RokuStreamingStick'
	option ip 'address removed'
	option mac 'address removed'

config dhcp 'LAN'
	option interface 'LAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN11'
	option interface 'VLAN11'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN20'
	option interface 'VLAN20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN25’
	option interface 'VLAN25'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN30'
	option interface 'VLAN30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN40'
	option interface 'VLAN40'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'VLAN50'
	option interface 'VLAN50'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	list dhcp_option 'option:dns-server,0.0.0.0'

cat /etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VLAN11'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN11'

config zone
	option name 'VLAN20'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN20'

config zone
	option name 'VLAN25'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN25'

config zone
	option name 'VLAN30'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN30'

config zone
	option name 'VLAN40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN40'

config zone
	option name 'VLAN50'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN50'

config forwarding
	option src 'lan'
	option dest 'VLAN11'

config forwarding
	option src 'lan'
	option dest 'VLAN20'

config forwarding
	option src 'lan'
	option dest 'VLAN25'

config forwarding
	option src 'lan'
	option dest 'VLAN30'

config forwarding
	option src 'lan'
	option dest 'VLAN40'

config forwarding
	option src 'lan'
	option dest 'VLAN50'

config forwarding
	option src 'VLAN20'
	option dest 'wan'

config forwarding
	option src 'VLAN30'
	option dest 'wan'

config forwarding
	option src 'VLAN40'
	option dest 'wan'

config forwarding
	option src 'VLAN50'
	option dest 'wan'

config forwarding
	option src 'VLAN11'
	option dest 'wan'

config rule
	option name 'VLAN11 DNS & DHCP'
	option src 'VLAN11'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN20 DNS & DHCP'
	option src 'VLAN20'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN25 DNS & DHCP'
	option src 'VLAN25'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN30 DNS & DHCP'
	option src 'VLAN30'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN40 DNS & DHCP'
	option src 'VLAN40'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN50 DNS & DHCP'
	option src 'VLAN50'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect 'adblock_VLAN2053'
	option name 'Adblock DNS (VLAN20, 53)'
	option src 'VLAN20'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_VLAN20853'
	option name 'Adblock DNS (VLAN20, 853)'
	option src 'VLAN20'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_VLAN205353'
	option name 'Adblock DNS (VLAN20, 5353)'
	option src 'VLAN20'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_VLAN3053'
	option name 'Adblock DNS (VLAN30, 53)'
	option src 'VLAN30'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_VLAN30853'
	option name 'Adblock DNS (VLAN30, 853)'
	option src 'VLAN30'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_VLAN305353'
	option name 'Adblock DNS (VLAN30, 5353)'
	option src 'VLAN30'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_VLAN4053'
	option name 'Adblock DNS (VLAN40, 53)'
	option src 'VLAN40'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_VLAN40853'
	option name 'Adblock DNS (VLAN40, 853)'
	option src 'VLAN40'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_VLAN405353'
	option name 'Adblock DNS (VLAN40, 5353)'
	option src 'VLAN40'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_VLAN5053'
	option name 'Adblock DNS (VLAN50, 53)'
	option src 'VLAN50'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_VLAN50853'
	option name 'Adblock DNS (VLAN50, 853)'
	option src 'VLAN50'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_VLAN505353'
	option name 'Adblock DNS (VLAN50, 5353)'
	option src 'VLAN50'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_VLAN1153'
	option name 'Adblock DNS (VLAN11, 53)'
	option src 'VLAN11'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_VLAN11853'
	option name 'Adblock DNS (VLAN11, 853)'
	option src 'VLAN11'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_VLAN115353'
	option name 'Adblock DNS (VLAN11, 5353)'
	option src 'VLAN11'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_VLAN2553'
	option name 'Adblock DNS (VLAN25, 53)'
	option src 'VLAN25'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_VLAN25853'
	option name 'Adblock DNS (VLAN25, 853)'
	option src 'VLAN25'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_VLAN255353'
	option name 'Adblock DNS (VLAN25, 5353)'
	option src 'VLAN25'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

Thank you in advance for any assistance!

Remove this line from each of your DHCP server stanzas... this is not valid.

If you want to specify a DNS server, it would look like this

	list dhcp_option '6,0.0.0.0'

But, 0.0.0.0 will break all DNS, so this is only good if you want DNS to fail on the clients.

Your adblock redirect rules are also likely problematic, but those wouldn't cause DHCP failures.

Thank you for the quick reply!

I remember fiddling a lot with adblock to get working, at one point https-dns-proxy didn't work after an update I think, so I switched to unbound and then used odhcpd instead of dnsmasq for DHCP and did a lot of fudging to get things working.

With regard to the adblock rules, I think those are essentially there to block all hard-coded (but plain, not HTTPS/TLS) DNS requests from devices.

Will try deleting the lines as you suggested!

I have deleted

list dhcp_option 'option:dns-server,0.0.0.0'

from each entry in /etc/config/dhcp

The good news: internet access is still working on my main machine (on LAN)!

The bad news: hasn't fixed the situation of being unable to get an IP address on VLAN 25.

I wonder if it would be best to go nuclear and start with a brand new install as possibly there might be some hard to find error from the previous odhcp setup? I believe I am back using dnsmasq for DHCP now (at least according the unbound's "Recursive DNS" -> "DHCP" setting in Luci.)

I would welcome any other ideas though before this, as usually it takes me forever to get everything back working again if I start from scratch!

I'm guessing that the problem is actually your downstream switch -- check that it is properly configured on the trunk to the router and that you have properly defined an access port for it.

This certainly is an option to consider. Your config has lot going on, so you may find it esier to start small and prove each item one at a time after a fresh start.

Thank you, I have checked and confirmed that the trunk ports can carry all the VLANs and the ports that the APs are connected to are similar.

Will continue to have a play to stave off the 'start from scratch' option, as it will take quite a while to reconfiger everything and sometimes it can be very frustrating trying to get things that were working previously back up and running again!

Any further ideas very welcome!

To rule out any firewall related issues, you could change the input rule to ACCEPT for the VLAN25 zone:

That shouldn't be necssary because you have this rule already in place:

As I said before, I suspect it is an issue with the switch (assuming there are no typos or other errors that have come up in the meantime). So, another thing you can try would be to manually assign an IP address (complete with subnet mask, gateway/router, and DNS information) on a client device connected to what you believe is a port assigned as untagged+PVID to VLAN25. If that allows the device to get the expected connectivity, that would suggest VLAN25 is working and that it is indeed a DHCP issue. If it doesn't work, it would suggest that the switch is not properly configured.

Feel free to post the complete config set again for review.

Thank you again for your advice. I have now tried connected my phone and the intended client device (an IoT device) to the new wifi SSID which is allocated to VLAN25, neither gets an IP address. Manually configured the details as suggested on my phone (IP address 192.168.25.51, subnet mask 255.255.0.0 and gateway 192.168.25.1) and temporarily enabled WAN access on VLAN25 and had working internet.

I believe this implies that VLAN25 is 'functional' other than DHCP not being configured?

Below is the /etc/config/dhcp file, the only change I have made is to delete the list dhcp_option as previously directed.


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option proxydnssec '1'
	list server '127.0.0.1#5453'
	option noresolv '1'
	option localuse '0'
	option port '1053'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'raspberrypi'
	option ip ‘address removed’
	option mac ‘address removed’

config host
	option name 'EAP245-486'
	option ip ‘address removed’
	option mac ‘address removed’

config host
	option name 'TL-SG2210P'
	option ip ‘address removed’
	option mac ‘address removed’

config host
	option name 'EAP245-B0'
	option ip ‘address removed’
	option mac ‘address removed’

config host
	option name 'RokuStreamingStick'
	option ip ‘address removed’
	option mac ‘address removed’

config dhcp 'LAN'
	option interface 'LAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN11'
	option interface 'VLAN11'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN20'
	option interface 'VLAN20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN25’
	option interface 'VLAN25'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN30'
	option interface 'VLAN30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN40'
	option interface 'VLAN40'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


config dhcp 'VLAN50'
	option interface 'VLAN50'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

I wonder if there is some conflict between the config dnsmasq and config odhcpd entries? I think that DHCP is currently being provided by dnsmasq, not odhcp (which I think I used briefly previously connected to unbound??), but I'm not sure how to confirm which is providing DHCP duties.

I'm also not sure whether there should be a config odhcpd entry at all. This github page suggests that odhcpd should be present as default in openwrt, but only used for DHCPv6 for IPv6 connections. Therefore I'm not sure whether I can safely delete the config odhcpd entry as a remnant of an old configuration, or whether it needs to stay present?

Of course, I may be going down completely the wrong avenue!

Edit:

Looking at that unbound github page, the section just above regarding parallel dnsmasq suggests the use of list dhcp_option 'option:dns-server,0.0.0.0' in the /etc/config/dhcp file, so I guess that's why it was there! Strange that deleting it doesn't seem to have had any effect, unless it will only go all wonky once the DHCP leases expire on the currently connected clients? Either way, now I'm not sure if I should add those lines back in...?

Contents of /etc/config/unbound in case needed:

config unbound 'ub_main'
	option dhcp_link 'dnsmasq'
	option dns64 '0'
	option domain 'lan'
	option edns_size '1232'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option rate_limit '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option ttl_neg_max '1000'
	option unbound_control '1'
	option validator_ntp '1'
	option verbosity '1'
	list iface_wan 'wan'
	option enabled '1'
	option validator '1'
	option iface_trig 'wan'
	option extended_stats '1'
	option rebind_localhost '1'

config zone 'auth_icann'
	option enabled '0'
	option fallback '1'
	option url_dir 'https://www.internic.net/domain/'
	option zone_type 'auth_zone'
	list server 'lax.xfr.dns.icann.org'
	list server 'iad.xfr.dns.icann.org'
	list zone_name '.'
	list zone_name 'arpa.'
	list zone_name 'in-addr.arpa.'
	list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
	option enabled '0'
	option fallback '1'
	option resolv_conf '1'
	option zone_type 'forward_zone'
	list zone_name 'isp-bill.example.com.'
	list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
	option enabled '0'
	option fallback '1'
	option tls_index 'dns.google'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '8.8.4.4'
	list server '8.8.8.8'
	list server '2001:4860:4860::8844'
	list server '2001:4860:4860::8888'
	list zone_name '.'

config zone 'fwd_cloudflare'
	option enabled '0'
	option fallback '1'
	option tls_index 'cloudflare-dns.com'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	list zone_name '.'

I'm not an expert on unbound, so I don't know if this could cause issues.

This is a good argument for resetting and starting over.