Guest network works for all devices except android phones

(Title changed for clarity)
I have set up a guest network. I can connect to the guest network and the internet on 2 rokus, a laptop and a pc without issue. Three different cell phones (all android, various models) connect to the guest network, nut receive a message "Connect to network but no internet access"

The same cell phones are able to access internet if they connect to the default wireless channels.

I can't find any posts or anything on the internet with this specific problem, so I'm sure I've done something wrong. Any help would be greatly appreciated.
below is the outcome of ```
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
"kernel": "6.12.85",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.3",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32912-6639b15f62",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.3 r32912-6639b15f62",
"builddate": "1777933845"
}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid 'redacted'
option ula_prefix 'fda7:f683:d521::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option multipath 'off'
list ipaddr '192.168.1.1/24'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'

config device
option type 'bridge'
option name 'br-puddle5'
option bridge_empty '1'

config interface 'puddlejumper5'
option proto 'static'
option device 'br-puddle5'
option multipath 'off'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '2'
option htmode 'HE20'
option country 'US'
option cell_density '0'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Firefly2'
option encryption 'sae-mixed'
option key 'redacted'
option ocv '0'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option country 'US'
option cell_density '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Firefly5'
option encryption 'sae-mixed'
option key 'redacted'
option ocv '0'

config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Puddlejumper5'
option encryption 'sae-mixed'
option network 'puddlejumper5'
option key 'redacted'
option ocv '0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '54'
option noresolv '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_preference 'medium'
list dhcp_option '3,192.168.1.1'
list dhcp_option '6,192.168.1.1'
list dhcp_option '15,lan'
list dns 'fda7:f683:d521::1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'

config host
option name 'pcmain'
option ip '192.168.1.230'
list mac 'redacted
config host
option name 'pcmain'
list duid 'redacted'
option hostid 'a00'

config dhcp 'puddlejumper5'
option interface 'puddlejumper5'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'

config host
option name 'roku1'
option ip '192.168.1.154'
list mac 'redacted
config host
option name 'roku2'
option ip '192.168.5.100'
list mac 'redacted'

config host
option name 'G8-ThinQ'
option ip '192.168.1.157'
list mac 'redacted'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'puddlejumper5'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'puddlejumper5'

config forwarding
option src 'puddlejumper5'
option dest 'wan'

config rule
option src 'puddlejumper5'
option name 'Allow-DNS-Puddlejumper5'
option dest_port '53'
option target 'ACCEPT'

config rule
option src 'puddlejumper5'
option name 'Allow-DHCP-Puddlejumper5'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'

config redirect
option target 'DNAT'
option name 'intercept'
option src 'lan'
option src_dport '53'
option family 'any'
list proto 'tcp'
list proto 'udp'

config redirect
option target 'DNAT'
option name 'Adguard'
list proto 'udp'
option src 'lan'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest_port '53'

root@OpenWrt:~#

For starters try to set wireless security to WPA2 + CCMP instead of SAE mixed

Thank you, I actually did this, as well as disabling the password altogether. It does not matter. The phones will connect to the network, be assigned an IP, etc, but are not able to access the internet.

When you change the dnsmasq listening port, the DNS server address must be specified in each pool section using DHCP option 6.

uci add_list dhcp.puddlejumper5.dhcp_option='6,192.168.5.1'
uci commit dhcp
service dnsmasq restart

Thank you, that did it! (Edit: everything works perfectly!) I'm curious, do you happen to know why this would not have affected any of my other devices?

The only explanation I have is that the browsers used on the other devices have hardcoded DNS settings or use DoH/DoT.

Thanks, I think the rokus are hardcoded, at least. I really appreciate your time and help.