Flint2 openwrt 25.12 not working without vpn

Hello, from the basic settings of openwrt, i set up wan ppoe, proton0 vpn interface + firewall, isolated guest and iot interfaces. Everything works like this just fine. The thing is, I wanted to remove vpn for a test on lan, so in firewall I changed lan destination zone from vpn to wan, but I have no internet (actually, there is internet, but only on some sites, openwrt works, speedtest doesnt etc - I am not sure why this is happening, when I did that in 24.10 it worked - i did not change much from the default, I just added things, not sure if something was changed auto).

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.12.71",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32713-f919e7899d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 25.12.0 r32713-f919e7899d",
                "builddate": "1772496855"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '000404d805dfec5f43a4a8ddaf571e39a708'
        option ula_prefix 'fd9c:d7bb:85a5::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '192.168.1.1/24'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'key'
        option password 'key'
        option ipv6 'auto'
        option norelease '1'
        option multipath 'off'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config device
        option type 'bridge'
        option name 'guest'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'iot'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'iot'
        option proto 'static'
        option device 'iot'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'proton0'
        option proto 'wireguard'
        option private_key 'key'
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'
        option multipath 'off'

config wireguard_proton0
        option description 'config.conf'
        option public_key 'key'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '169.150.199.70'
        option endpoint_port '51820'
        option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE40'
        option txpower '20'
        option country 'RO'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'iot'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'key'
        option isolate '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE160'
        option cell_density '0'
        option txpower '23'
        option country 'RO'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'iot'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'key'
        option isolate '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt-5G'
        option encryption 'sae'
        option key 'key'
        option ocv '0'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt-Guest'
        option encryption 'psk2'
        option isolate '1'
        option key 'key'
        option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config rule
        option src 'guest'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option name 'Allow-DNS-IOT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option name 'Allow-DHCP-IOT'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'iot'
        option name 'Allow-LAN-To-Printer'
        list proto 'tcp'
        option target 'ACCEPT'
        option dest_port '80'
        list dest_ip '192.168.3.236'

config rule
        option src 'lan'
        option dest 'iot'
        option name 'Allow-LAN-To-Printer2'
        list proto 'tcp'
        option dest_port '3030-3031'
        option target 'ACCEPT'
        list dest_ip '192.168.3.236'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'proton0'

config forwarding
        option src 'guest'
        option dest 'vpn'

config forwarding
        option src 'iot'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

This is all I did on the system after a reset:

1. Set root password
2. Configure WAN
Network → Interfaces → Edit wan → PPPoE 
3. Configure Wireless
2.4GHz: AX, channel 1, 40MHz, 20dBm, country RO, isolate clients: enabled, WPA2-PSK encryption
5GHz: AX, channel 36, 160MHz, 23dBm, country RO, WPA3-SAE encryption

4. Hardware acceleration
Network → Firewall → Routing/NAT Offloading → Hardware flow offloading

5. ProtonVPN WireGuard
System → Software → update lists → install luci-proto-wireguard → reboot
Network → Interfaces → Add new interface → WireGuard VPN → import configuration
Peers → Edit → Route Allowed IPs: enabled
Firewall → Zones → Add vpn (input reject, output accept, forward reject, masquerading on, covered networks: proton0, allow forward from: lan)
Edit lan zone → remove wan, keep only vpn, enable MSS clamping
Network → Interfaces → wan → Advanced → disable "Use DNS servers advertised by peer" → add custom DNS 10.2.0.1

6. Creating isolated interface
Create br-guest devices (and br-iot just the same, a few name changes)
    Network → Devices → Add device → Bridge device, name: br-guest, ports unspecified, bring up empty bridge: enabled
Create guest interface
    Network → Interfaces → Add → Static address, IP 192.168.2.1, netmask 255.255.255.0, device br-guest, DHCP enabled (192.168.3.1 for iot)
Firewall guest zone
    Zones → Add guest (input reject, output accept, forward reject, covered networks: guest, allow forward to: vpn)
    Edit vpn zone → allow forward from source zones → add guest
Add traffic rules
    Firewall → Traffic rules → Allow-DNS-Guest → TCP+UDP, source zone guest, destination zone device, destination port 53, action accept
    Firewall → Traffic rules → Allow-DHCP-Guest → UDP, source zone guest, destination zone device, destination port 67, action accept
Add listening interfaces
    Network → DHCP and DNS → Devices & ports → non-wildcard (is enabled) → listen interfaces guest, lan
Configure 5GHz guest SSID
    Network → Wireless → Add on radio1 → SSID: OpenWrt-Guest, Network: guest, WPA2-PSK, Isolate clients: enabled

Firewall Rule for Printer
    Firewall → Traffic rules → Allow-LAN-To-Printer→ TCP, source zone lan, destination zone iot, destination address 192.168.3.236, destination port 80, action accept
    Firewall → Traffic rules → Allow-LAN-To-Printer2→ TCP, source zone lan, destination zone iot, destination address 192.168.3.236, destination port 3030-3031, action accept

Add 1.1.1.1 as DNS servers on the wan (or any other publicly available DNS server)

And make sure there is a forward from LAN to WAN

config forwarding
        option src 'lan'
        option dest 'wan'

The firewall controls what is allowed. The routing table(s) determines where a packet will be sent. If you leave the wg interface enabled, it will install a default route via VPN. Then if the firewall prevents lan->vpn forwarding, the Internet will not be reachable from the lan.

In order to have some of the LAN networks use the Internet via wan and some via VPN, you will need to set up source-conditional routing and multiple routing tables in the kernel (in addition to firewall rules). The pbr package is designed to simplify that.

Tried that, didn't work. I reset the router, set up ppoe, websites work, then i created proton0 interface with the config and websites stopped working again, even with it disabled. The weird thing is that some websites work, like this one, but some stop working when the proton0 interface is created.
This is all creating the interface proton0 did after resetting the router and setting up ppoe:

uci set network.proton0=interface
uci set network.proton0.proto='wireguard'
uci add network wireguard_proton0 # =cfg0954e0
uci set network.@wireguard_proton0[-1].description='config.conf'
uci set network.@wireguard_proton0[-1].public_key='key
uci add_list network.@wireguard_proton0[-1].allowed_ips='0.0.0.0/0'
uci add_list network.@wireguard_proton0[-1].allowed_ips='::/0'
uci set network.@wireguard_proton0[-1].persistent_keepalive='25'
uci set network.@wireguard_proton0[-1].endpoint_host='169.150.199.70'
uci set network.@wireguard_proton0[-1].endpoint_port='51820'
uci set network.proton0.private_key='key'
uci add_list network.proton0.addresses='10.2.0.2/32'
uci add_list network.proton0.dns='10.2.0.1'
uci set network.proton0.multipath='off'
uci set network.@wireguard_proton0[-1].route_allowed_ips='1'

Even deleting the interface doesnt fix it

Delete or disable (i.e. do not start at boot) the VPN interface, then restart the router and try again. This is a routing table issue.

You did reboot after disabling the VPN interface?
Otherwise the default route via the wan is not automatically reinstated

and of course you need to add the forwarding and add a publicly available DNS server as per my earlier post

I reflashed 25.12 and I'm gonna try using pbr to make a separate route, thank you all