@psherman, splitting out as suggested.
My main network is on a different range to the one that I have put the radio1 AP on so that shouldn’t be causing the issue.
Network config:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd03:ada5:cd05::/48'
config interface 'lan'
option proto 'dhcp'
option ifname 'eth0'
config interface 'wwan'
option proto 'dhcp'
config interface 'providervpn'
option proto 'none'
option ifname 'tun0'
config interface 'lan2'
option proto 'static'
option ifname 'radio1'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option legacy_rates '1'
option country 'GB'
option channel '1'
config wifi-iface
option network 'wwan'
option ssid 'homenetwork'
option encryption 'psk2'
option device 'radio0'
option mode 'sta'
option bssid '00:F2:01:3A:61:F0'
option key '........'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option country 'GB'
option legacy_rates '1'
option channel 'auto'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'OpenWRT'
option encryption 'psk2'
option key '.......'
DHCP:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan2'
option interface 'lan2'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '12h'
And finally, firewall (wan is set to accept input as I wanted to move the ethernet there just to test that having 2 interfaces on the lan rule set wasn't causing issues):
config defaults
option syn_flood '1'
option output 'ACCEPT'
option input 'DROP'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan2'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'DROP'
option input 'ACCEPT'
option network 'wan wan6 wwan lan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'providervpn'
option family 'ipv4'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'providervpn'
config forwarding
option src 'lan'
option dest 'vpn'
I'm sure it's something simple but I just can't see it!