Shamu
April 12, 2026, 10:08pm
1
I've spent weeks trying to figure out how to create proper vlan subnets, and today I soft-bricked it when trying to follow a video guide that told me to enable vlan filtering and assign "unmasked traffic" to br-lan. It would not save, it would use 90seconds and then revert changes. I went in to cli and extended it to 180 seconds, but then my whole router bricked and I had to do bootloader recovery, it was hell.
And now I didnt dare to touch it again, so I tried to set up basic guest network connection instead, since it is isolated away from the main network it was/is a good workaround. But the problem is that Wireguard vpn in to my admin network does not work via guest network, hence why I rather want to do proper vlan configuration instead.
Are there any good up to date guides for this? Is there a reason why Wireguard vpn does not work on guest networks?
If you search the forum, you will find many examples. Fundamentally, the process involves using bridge-vlans.
Once you make the bridge-vlans, you need to assign your existing lan to one of those VLANs (device 'br-lan.x' where x is the VLAN ID you'll be using for your lan).
Then you can create and assign your other networks as needed.
1 Like
Shamu
April 13, 2026, 6:48pm
3
Thank you! This worked, and I learned a lot on the way too
Shamu
April 13, 2026, 7:50pm
4
Do you know how to make these soft VLANs in to wireless compliant intefraces? When I create wireless network and assign a software vlan to it, it is not broadcasting and it states that "wireless is disabled". Somewhere I guess I need to assign the physical antennas to the software vlan?
Once you have a bridge-VLAN, you'll use that as the device for the network interface. That network will have an address if it is either responsible for routing said network or if it is used for managing the device, or it may be unmanaged (no address) if it is a bridged AP (for the non-management network).
From there, you simply use the network name in the wifi config stanza and it will work.
For example... here would be a config for a standard router:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan3:u*'
list ports 'lan4:t'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1/24'
option multipath 'off'
config interface 'guest'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1/24'
option multipath 'off'
Or... let's say you had a bridged-AP -- it might look like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:t'
list ports 'lan4:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2/24'
config interface 'guest'
option device 'br-lan.2'
option proto 'none'
In both cases, you'd attach the wifi networks to lan and guest.
Shamu
April 13, 2026, 9:43pm
6
I did exactly that, attach the bridge-vlan as the DHCP interface to the newly created wireless network, but it would not work because that vlan did not have a wireless modem connected to it or something (if I am to guess).
I can add lan and guest to the wireless network, but I have seperate wireless networks for lan and guest, I am trying to attach the newly made software vlan br-home.10 to it, but the wireless is in constant "disabled" state, even though I hit "enable"
let's see your complete config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Shamu
April 13, 2026, 10:59pm
8
Allright, here's wireless first. After my previous reply I found a video that told me to add option ifname ra0 corresponding to what I previously had before swapping the networks, and I see I have ra0, ra1, and ra2, same with 5g rax1 and rax2.. So I tried to add them, and some show up, and others dont. In this case, net2 shows up, but the others don't. net2 also never connects I get configuration failure:
root@gli:~# cat /etc/config/wireless
config wifi-device 'mt798611'
option type 'mtk'
option band '2g'
option htmode 'HE40'
option channel 'auto'
option txpower '100'
option country 'US'
option random_bssid '1'
option legacy_rates '0'
config wifi-iface 'wifi2g'
option device 'mt798611'
option mode 'ap'
option network 'lan'
option ifname 'ra0'
option wds '1'
option ieee80211k '1'
option bss_transition '1'
option ssid 'net1'
option encryption 'sae'
option key 'secretpass'
option macaddr 'secretmac'
config wifi-device 'mt798612'
option type 'mtk'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option txpower '100'
option country 'US'
option random_bssid '1'
config wifi-iface 'wifinet3'
option device 'mt798611'
option mode 'ap'
option ssid 'net2'
option ifname 'ra1'
option network 'subnet4'
option encryption 'psk2'
option key 'secretpass'
option macaddr 'secretmac'
config wifi-iface 'wifinet4'
option device 'mt798611'
option mode 'ap'
option ssid 'iot'
option encryption 'psk2'
option hidden '1'
option key 'secretpass'
option network 'subnet5'
option ifname 'ra2'
option macaddr 'secretmac'
Here is the cat /etc/config/network
root@gli:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb9:e20f:c666::/48'
config device
option name 'br-lan'
option type 'bridge'
option macaddr 'secretmac'
option bridge_empty '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr 'secretmac'
config device
option name 'lan2'
option macaddr 'secretmac'
config device
option name 'lan3'
option macaddr 'secretmac'
config device
option name 'lan4'
option macaddr '94:83:c4:ba:e3:a4'
config device
option name 'lan5'
option macaddr '94:83:c4:ba:e3:a4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.1.1'
config device
option name 'eth1'
option macaddr 'secretmac2'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
config rule 'novpn_to_main'
option gl_vpn_rules '1'
option mark '0x8000/0xf000'
option priority '6000'
option lookup 'main'
option disabled '0'
config rule 'vpn_to_main'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9000'
option lookup 'main'
option invert '1'
option disabled '0'
config rule 'vpn_leak_block'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9910'
option action 'blackhole'
option invert '1'
option disabled '0'
config rule 'vpn_block_lan_leak'
option gl_vpn_rules '1'
option in 'lan'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_guest_leak'
option gl_vpn_rules '1'
option in 'guest'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_wgserver_leak'
option gl_vpn_rules '1'
option in 'wgserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_ovpnserver_leak'
option gl_vpn_rules '1'
option in 'ovpnserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config interface 'wgserver'
option proto 'wgserver'
option config 'main_server'
option disabled '0'
config device
option type 'bridge'
option name 'br-iot'
list ports 'lan5'
option bridge_empty '1'
option ipv6 '0'
config interface 'wgclient1'
option proto 'wgclient'
option config 'peer_2001'
option ip4table '1001'
option ip6table '1001'
option disabled '0'
config rule 'rt_wgclient1'
option mark '0x1000/0xf000'
option lookup '1001'
option priority '6000'
config route 'wgclient1_blackhole'
option target '0.0.0.0'
option netmask '0.0.0.0'
option interface 'loopback'
option metric '254'
option type 'blackhole'
option table '1001'
config rule6 'rt_wgclient1_6'
option mark '0x1000/0xf000'
option lookup '1001'
option priority '6000'
config route6 'wgclient1_blackhole_6'
option target '::0/0'
option interface 'loopback'
option metric '25400'
option type 'blackhole'
option table '1001'
config bridge-vlan
option device 'br-iot'
option vlan '10'
config device
option type 'bridge'
option name 'br-home'
list ports 'lan4'
config bridge-vlan
option device 'br-home'
option vlan '10'
config bridge-vlan
option device 'br-home'
option vlan '20'
list ports 'lan4'
config bridge-vlan
option device 'br-iot'
option vlan '20'
list ports 'lan5'
config interface 'subnet5'
option proto 'static'
option device 'br-iot.20'
option ipaddr '10.50.0.1'
option netmask '255.255.255.0'
config interface 'subnet4'
option proto 'static'
option device 'br-home.20'
option ipaddr '10.40.0.1'
option netmask '255.255.255.0'
config rule 'main_static_net'
option gl_vpn_rules '1'
option suppress_prefixlength '0'
option priority '800'
option lookup '9910'
option disabled '0'
And cat /etc/config/dhcp
root@gli:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option rebind_protection '0'
option filter_aaaa '1'
option noresolv '1'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
option domain 'ts.net lan'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
option ignore '0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '192.168.1.1'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.1.1'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
config host
option mac 'secretmac'
option ip '192.168.1.196'
option tag 'PC3'
config host
option mac 'secretmac'
option ip '192.168.1.224'
option tag 'srv1'
config host
option mac 'secretmac'
option ip '192.168.1.225'
option tag 'srvbk'
config host
option mac 'secretmac'
option ip '192.168.1.185'
option tag 'Speaker Main'
config host
option mac 'secretmac'
option ip '192.168.1.206'
option tag 'Speaker SUB'
config host
option mac 'secretmac'
option ip '192.168.1.104'
option tag 'Speaker R Rear'
config host
option mac 'secretmac'
option ip '192.168.1.146'
option tag 'Speaker L Rear'
config host
option mac 'secretmac'
option ip '192.168.1.195'
option tag 'PC2'
config host
option mac 'secretmac'
option ip '192.168.1.109'
option tag 'Hue'
config host
option mac 'secretmac'
option ip '192.168.1.118'
option tag 'tvb'
config host
option mac 'secretmac'
option ip '192.168.1.111'
option tag 'pc1'
config host
option mac 'secretmac'
option ip '192.168.1.188'
option tag 'HA'
config dnsmasq 'wgclient1'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option boguspriv '0'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.wgclient1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d.wgclient1'
option port '2153'
option filter_aaaa '1'
option user 'dnsmasq_vpn'
list domain 'lan'
list domain 'guest'
list domain 'wan'
list addnhosts '/tmp/hosts.vpn'
option ignore_hosts_dir '1'
option disabled '0'
config dhcp 'subnet5'
option interface 'subnet5'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'subnet4'
option interface 'subnet4'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
root@gli:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config rule 'wan_drop_leaked_adgdns'
option name 'wan_drop_leaked_adgdns'
option src 'wan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config rule 'wan_drop_leaked_dns'
option name 'wan_drop_leaked_dns'
option src 'wan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leaked_dns'
option name 'guest_drop_leaked_dns'
option src 'guest'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leak_adgdns'
option name 'guest_drop_leak_adgdns'
option src 'guest'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config rule
option name 'Blocrules - IoT Devices'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.146'
list src_ip '192.168.1.187'
list src_ip '192.168.1.114'
list src_ip '192.168.1.139'
list src_ip '192.168.1.185'
list src_ip '192.168.1.166'
option dest 'wan'
option target 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config include 'dns_order'
option type 'script'
option path '/etc/firewall.dns_order'
option reload '1'
option enabled '1'
config include 'vpnclient'
option type 'script'
option path '/usr/bin/rtp2.sh'
option reload '0'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'dmz_exclude'
option type 'script'
option path '/etc/firewall.dmz.exclude'
option reload '1'
config include 'security'
option type 'script'
option path '/etc/firewall.security'
option reload '0'
config rule 'lan_drop_leaked_dns'
option name 'lan_drop_leaked_dns'
option src 'lan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'lan_drop_leak_adgdns'
option name 'lan_drop_leak_adgdns'
option src 'lan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_dns'
option name 'wgserver_drop_leaked_dns'
option src 'wgserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_dns'
option name 'ovpnserver_drop_leaked_dns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_adgdns'
option name 'wgserver_drop_leaked_adgdns'
option src 'wgserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_adgdns'
option name 'ovpnserver_drop_leaked_adgdns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config redirect
option enabled '0'
option proto 'tcp udp'
option src_dport '443'
option dest_ip '192.168.1.111'
option dest_port '443'
option src 'wan'
option name 'GL-WAN443-NGINX'
option dest 'lan'
config zone 'tailscale0'
option name 'tailscale0'
option input 'ACCEPT'
option mtu_fix '1'
list device 'tailscale0'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'wgclient1'
option name 'wgclient1'
option forward 'ACCEPT'
option output 'ACCEPT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '1'
list network 'wgclient1'
config zone 'wgserver'
option name 'wgserver'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option masq6 '0'
option family 'ipv4'
option forward 'ACCEPT'
list network 'wgserver'
option masq '0'
option enabled '1'
config rule 'wgserver_allow'
option name 'wgserver_allow'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option family 'ipv4'
option enabled '1'
config rule 'wgserver2lan'
option name 'wgserver2lan'
option src 'wgserver'
option dest 'lan'
option proto 'all'
option target 'ACCEPT'
option family 'ipv4'
option enabled '1'
config forwarding 'wgserver2wan'
option name 'wgserver2wan'
option src 'wgserver'
option dest 'wan'
option family 'ipv4'
option enabled '1'
config forwarding 'lan2wgserver'
option name 'lan2wgserver'
option src 'lan'
option dest 'wgserver'
option family 'ipv4'
option enabled '1'
config rule 'wgserver2wgserver'
option name 'wgserver2wgserver'
option src 'wgserver'
option dest 'wgserver'
option proto 'all'
option target 'REJECT'
option family 'ipv4'
option enabled '1'
config rule 'wgserver_allow_dns'
option name 'wgserver_allow_dns'
option src 'wgserver'
option target 'ACCEPT'
option dest_port '53'
option family 'ipv4'
option enabled '1'
config rule
option name '1. WG Plebs (NC, Immich, Jelly, Wiki, Navi, Srx)'
option src 'wgserver'
list src_ip '10.1.0.9'
list src_ip '10.1.0.10'
list src_ip '10.1.0.11'
list src_ip '10.1.0.12'
option dest 'lan'
list dest_ip '192.168.1.244'
option dest_port 'xxxx xxxx xxxx xxxx xxxx xxxx xxxx xx xxxx'
option target 'ACCEPT'
config rule
option name '2. WG Liliana (NC, Immich, Jelly, Wiki, Navi, Srx)'
option src 'wgserver'
list src_ip '10.1.0.6'
list src_ip '10.1.0.7'
list src_ip '10.1.0.8'
option dest 'lan'
list dest_ip '192.168.1.244'
option dest_port 'xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xx xxxx xxxx'
option target 'ACCEPT'
config rule
option name '3. WG Admin'
option src 'wgserver'
list src_ip '10.1.0.0/24'
option dest 'lan'
option target 'ACCEPT'
config rule
option name '4. Pleb DROP rule'
option src 'wgserver'
list src_ip '10.1.0.0/24'
option dest 'lan'
option target 'DROP'
config zone
option name 'subnet4'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'subnet4'
config zone
list device 'br-iot'
option masq_allow_invalid '1'
option output 'REJECT'
option forward 'ACCEPT'
option name 'subnet5'
list network 'subnet5'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'subnet5'
config forwarding 'lan2wgclient1'
option src 'lan'
option dest 'wgclient1'
config forwarding 'guest2wgclient1'
option src 'guest'
option dest 'wgclient1'
config forwarding 'wan2wgclient1'
option src 'wan'
option dest 'wgclient1'
config forwarding 'ovpnserver2wgclient1'
option src 'ovpnserver'
option dest 'wgclient1'
config forwarding 'wgserver2wgclient1'
option src 'wgserver'
option dest 'wgclient1'
config forwarding
option src 'subnet4'
option dest 'lan'
config forwarding
option src 'subnet4'
option dest 'wgclient1'
config forwarding
option src 'lan'
option dest 'subnet4'
config forwarding
option src 'subnet5'
option dest 'lan'
Although I don't know what video you're referencing, I wouldn't recommend following it -- I don't think that these values are valid.
Make a backup of your configs. Then reset the router to defaults... post the complete config of the router in the default state. Then we'll see what should be there.
