Internet seems to be stuttering after configuring OpenWrt

The !lan networks have only UDP DNS port open, should be tcp too.
What special is running on same router to produce those DNS requests in bulk?
Are all "servers" in order like

Sat Jun  8 06:53:09 2024 daemon.info dnsmasq[1]: server 127.0.0.1#5453: queries sent 95539, retried 119, failed 229, nxdomain replies 664, avg. latency 28ms

retried = 1..5s response time
failed = > 5s
nxdomain - domain certainly did not exist
if DNS latency exceeds 300ms you formally have poor web experience as per google metrics. Normally you should be querying only pihole to filter what you want to filter.

Is the upstream directly connected to the Internet?

What if you see an rfc1918 address on the wan, it could explain a lot.

ifstatus wan | grep address

Yes it is connected directly to the internet, it is my main router that I am using to connect directly to my ISP

 ifstatus wan | grep address
        "ipv4-address": [
                        "address": "ISP provided IP",
        "ipv6-address": [
                "ipv4-address": [
                "ipv6-address": [

Sad you deleted config files. Could you re-add network and dhcp, we already figured out with wifi.
They indicated pihole in lan network sort of intended to figure out filtering, but only added via optional DHCP parameter, then the default dnsmasq actually backending providers' servers.
It shoud have been exposed via pkill+logread.

I'mm not sure what you mean, I didn't delete any config files and the original config is still in the original post. I'm also not sure what you're asking me to do :frowning:

I have found a possible solution to my problem? I found this thread that's been semi-active since 2021 until April of last year where users were reporting a similar issue to mine. I tried a few of the solutions listed and so far unchecking Disassociate On Low Acknowledgement for each AP in Network > Wireless > Edit > Interface Configuration > Advanced Settings seems to be working? I'm not going to mark this as a solution until I've thoroughly tested it however.

That setting should help if you are routinely at the border of coverage, like 20m inside 50m outside, with one or no stripe in client indicator.
Config file /etc/config/wireless & friends to get you connecting guest net well :wink: those ones.

Update: The solution given was only temporary, I'm now back to having issues.

Plese provide:

  • dns server stats after pkill+logread

  • /etc/config/network and firewalland and dhcp with public ips and macs and passwords replaced.

additionally process querying dns on 127..1 is to beidentified, given slowly oncoming problem that mayleak memory.

pkill -USR1 dnsmasq ; logread -e dnsmasq
-ash: pkill: not found
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:41 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy0-ap2) d4:e2:2f:32:7d:28
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy0-ap2) 192.168.4.148 d4:e2:2f:32:7d:28
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy0-ap2) d4:e2:2f:32:7d:28
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy0-ap2) 192.168.4.148 d4:e2:2f:32:7d:28
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy0-ap2) 192.168.4.148 d4:e2:2f:32:7d:28
Tue Jun 11 19:46:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap2) 192.168.4.148 d4:e2:2f:32:7d:28 RokuExpress4K
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy0-ap2) 20:ef:bd:59:58:73
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy0-ap2) 192.168.4.196 20:ef:bd:59:58:73
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy0-ap2) 20:ef:bd:59:58:73
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy0-ap2) 192.168.4.196 20:ef:bd:59:58:73
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy0-ap2) 192.168.4.196 20:ef:bd:59:58:73
Tue Jun 11 19:47:16 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap2) 192.168.4.196 20:ef:bd:59:58:73 RokuExpress4K
Tue Jun 11 19:47:38 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:47:38 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.182 9e:3e:8c:a3:ce:7f
Tue Jun 11 19:48:38 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.248 5e:0e:0a:d7:64:d9
Tue Jun 11 19:48:38 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.248 5e:0e:0a:d7:64:d9
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1c:9dfc:85e4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.63'
        list dns '100.64.0.7'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option norelease '1'
        list dns '192.168.1.63'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '192.168.1.63'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 4 3 1'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config interface 'GuestDHCP'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.63'
        list dns '100.64.0.7'

config interface 'GuestVPN'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.63'
        list dns '100.64.0.7'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 2'
        option vid '3'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.63'

config interface 'GuestLAN'
        option proto 'static'
        option device 'eth1.3'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

config interface 'VPNWG'
        option proto 'wireguard'
        option private_key 'Removed'
        list addresses '10.71.48.16/32'
        list addresses 'fc00:bbbb:bbbb:bb01::8:300f/128'

config wireguard_VPNWG 'wgserver'
        option public_key 'Removed'
        option endpoint_host '185.156.46.143'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

config interface 'VPNDHCP'
        option proto 'static'
        list ipaddr '192.168.3.1/24'
        list dns '192.168.1.63'

config interface 'RouterWG'
        option proto 'wireguard'
        option private_key 'Removed'
        option listen_port '58120'
        list addresses '10.14.0.1/24'

config wireguard_RouterWG
        option description 'Test'
        option public_key 'Removed'
        option private_key 'Removed'
        option preshared_key 'Removed'
        list allowed_ips '10.14.0.12/32'
        option route_allowed_ips '1'

config wireguard_RouterWG
        option public_key 'Removed'
        option private_key 'Removed'
        option preshared_key 'Removed'
        list allowed_ips '10.14.0.13/32'
        option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'RouterWG'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'VPNWG'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'VPNDHCP'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VPNDHCP'

config forwarding
        option src 'VPNDHCP'
        option dest 'wan'

config rule
        option name 'VPNDHCP'
        option src 'VPNDHCP'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option name 'VPNDNS'
        option src 'VPNDHCP'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config zone
        option name 'GuestDHCP'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GuestDHCP'

config forwarding
        option src 'GuestDHCP'
        option dest 'wan'

config rule
        option name 'GuestDHCP'
        list proto 'udp'
        option src 'GuestDHCP'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'GuestDNS'
        option src 'GuestDHCP'
        option dest_port '53'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.63'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.63'
        option dest_port '443'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Postfix SMTP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '25'
        option dest_ip '192.168.1.63'
        option dest_port '25'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Postfix SMTPS'
        option src 'wan'
        option src_dport '465'
        option dest_ip '192.168.1.63'
        option dest_port '465'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Postfix Submission'
        list proto 'tcp'
        option src 'wan'
        option src_dport '587'
        option dest_ip '192.168.1.63'
        option dest_port '587'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Dovecot IMAP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '143'
        option dest_ip '192.168.1.63'
        option dest_port '143'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Dovecot IMAPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '993'
        option dest_ip '192.168.1.63'
        option dest_port '993'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Dovecot POP3'
        list proto 'tcp'
        option src 'wan'
        option src_dport '110'
        option dest_ip '192.168.1.63'
        option dest_port '110'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Dovecot POP3S'
        list proto 'tcp'
        option src 'wan'
        option src_dport '995'
        option dest_ip '192.168.1.63'
        option dest_port '995'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Dovecot ManageSieve        '
        list proto 'tcp'
        option src 'wan'
        option src_dport '4190'
        option dest_ip '192.168.1.63'
        option dest_port '4190'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'TURN (Coturn)'
        option src 'wan'
        option src_dport '3478'
        option dest_ip '192.168.1.63'
        option dest_port '3478'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'TURN (Coturn)'
        option src 'wan'
        option src_dport '5349'
        option dest_ip '192.168.1.63'
        option dest_port '5349'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Matrix Federation API'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8448'
        option dest_ip '192.168.1.63'
        option dest_port '8448'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'TURN over UDP'
        list proto 'udp'
        option src 'wan'
        option src_dport '49152-49172'
        option dest_ip '192.168.1.63'
        option dest_port '49152-49172'

config rule
        option name 'VPNTCP'
        option src 'VPNDHCP'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '53 80 443 25 465 587 143 993 110 995 4190 3478 5349 8448 25565 21114-21119'
        option target 'ACCEPT'
        list proto 'tcp'

config zone
        option name 'GuestMullvd'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GuestVPN'

config forwarding
        option src 'GuestMullvd'
        option dest 'wan'

config rule
        option name 'GVPNDNS'
        option src 'GuestMullvd'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'GVPNDHCP'
        option src 'GuestMullvd'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'GuestLAN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GuestLAN'

config forwarding
        option src 'GuestLAN'
        option dest 'wan'

config rule
        option name 'GuestLanDNS'
        option src 'GuestLAN'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'GuestLanDHCP'
        option src 'GuestLAN'
        option target 'ACCEPT'
        option dest_port '67'

config rule
        option name 'GuestTCP'
        list proto 'tcp'
        option src 'GuestDHCP'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '53 80 443 25 465 587 143 993 110 995 4190 3478 5349 8448 25565 21114-21119'
        option target 'ACCEPT'

config rule
        option name 'GVPNTCP'
        list proto 'tcp'
        option src 'GuestMullvd'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '53 80 443 25 465 587 143 993 110 995 4190 3478 5349 8448 25565 21114-21119'
        option target 'ACCEPT'

config rule
        option name 'GuestLanTCP'
        list proto 'tcp'
        option src 'GuestLAN'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '53 80 443 25 465 587 143 993 110 995 4190 3478 5349 8448 25565 21114-21119'
        option target 'ACCEPT'

config rule
        option name 'VPNUDP'
        list proto 'udp'
        option src 'VPNDHCP'
        list dest_ip '192.168.1.63'
        option dest_port '3478 5349 49152-49172 24454 19132 51820 53 21116'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option name 'GuestUDP'
        list proto 'udp'
        option src 'GuestDHCP'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '3478 5349 49152-49172 24454 19132 51820 53 21116'
        option target 'ACCEPT'

config rule
        option name 'GuestLanUDP'
        list proto 'udp'
        option src 'GuestLAN'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '3478 5349 49152-49172 24454 19132 51820 53 21116'
        option target 'ACCEPT'

config rule
        option name 'GVPNUDP'
        list proto 'udp'
        option src 'GuestMullvd'
        option dest 'lan'
        list dest_ip '192.168.1.63'
        option dest_port '3478 5349 49152-49172 24454 19132 51820 53 21116'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Minecraft Java Server'
        list proto 'tcp'
        option src 'wan'
        option src_dport '25565'
        option dest_ip '192.168.1.63'
        option dest_port '25565'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Minecraft Java Voice Chat'
        list proto 'udp'
        option src 'wan'
        option src_dport '24454'
        option dest_ip '192.168.1.63'
        option dest_port '24454'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.63'
        option dest_port '51820'

config rule
        option name 'LAN->Guest'
        list proto 'tcp'
        option src 'lan'
        option dest 'GuestDHCP'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'GuestLAN'
        option target 'ACCEPT'
        option name 'LAN->GuestLan'

config rule
        option name 'LAN->GuestVPN'
        option src 'lan'
        option dest 'GuestMullvd'
        option target 'ACCEPT'

config rule
        option name 'LAN->MVPN'
        option src 'lan'
        option dest 'VPNDHCP'
        option target 'ACCEPT'

config rule
        option name 'MVPN->LAN'
        option src 'VPNDHCP'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'MVPN->Guest'
        option src 'VPNDHCP'
        option dest 'GuestDHCP'
        option target 'ACCEPT'

config rule
        option name 'MVPN->GuestLan'
        option src 'VPNDHCP'
        option dest 'GuestLAN'
        option target 'ACCEPT'

config rule
        option name 'MVPN->GuestVPN'
        option src 'VPNDHCP'
        option dest 'GuestMullvd'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'IoTDHCP'
        option src 'IoT'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoTDNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'LAN->IoT'
        option src 'lan'
        option dest 'IoT'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'MVPN->IoT'
        option src 'VPNDHCP'
        option dest 'IoT'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'Temp'
        option src 'IoT'
        list src_ip '192.168.7.241'
        option dest 'wan'
        option target 'ACCEPT'

config rule
        option name 'IoTDenyWAN'
        option src 'IoT'
        option dest 'wan'
        option target 'REJECT'

config rule
        option name 'DenyLanGuestVPN'
        option src 'GuestMullvd'
        option dest 'lan'
        option target 'REJECT'

config rule
        option name 'DenyLanGuest'
        option src 'GuestDHCP'
        option dest 'lan'
        option target 'REJECT'

config rule
        option name 'DenyLanGuestLan'
        option src 'GuestLAN'
        option dest 'lan'
        option target 'REJECT'

config rule
        option name 'Printer->Guest'
        option src 'GuestDHCP'
        option dest 'IoT'
        option target 'ACCEPT'
        list proto 'all'
        list dest_ip '192.168.7.148'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RustDesk TCP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '21114-21119'
        option dest_ip '192.168.1.63'
        option dest_port '21114-21119'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RustDesk UDP'
        list proto 'udp'
        option src 'wan'
        option src_dport '21116'
        option dest_ip '192.168.1.63'
        option dest_port '21116'

config rule
        option name 'mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'mDNSv6'
        option src '*'
        option src_port '5353'
        list dest_ip 'ff02::fb'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'IoTDenyLan'
        list proto 'all'
        option src 'IoT'
        option dest 'lan'
        option target 'REJECT'

config rule
        option src 'lan'
        list src_ip '192.168.1.63'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'DNS'
        option dest_port '53'

config rule
        option name 'AllowDNS'
        option src '*'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.1.63'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DNS'
        option src 'wan'
        option src_dport '853'
        option dest_ip '192.168.1.63'
        option dest_port '853'

config redirect
        option target 'DNAT'
        option name 'InterceptDNSLAN'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_ip '192.168.1.63'
        option enabled '0'

config rule
        option name 'VPN Router Config'
        list proto 'tcp'
        option src 'VPNDHCP'
        option src_port '443'
        option dest 'lan'
        list dest_ip '192.168.1.1'
        option dest_port '443'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '58120'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'RouterWG'
        list proto 'udp'
        option src 'wan'
        option src_dport '58120'
        option dest_ip '192.168.1.1'

config rule
        option name 'Roku'
        option src '*'
        option dest 'GuestDHCP'
        list dest_ip '192.168.4.146'
        option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '10000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option nonwildcard '0'
        option dnsforwardmax '9999999'
        option dhcpleasemax '200'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.63'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GuestDHCP'
        option interface 'GuestDHCP'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.63'
        option force '1'

config dhcp 'GuestVPN'
        option interface 'GuestVPN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.63'
        option force '1'

config domain
        option name 'mydomain.tld'
        option ip '192.168.1.63'

config domain
        option name 'matrix.mydomain.tld'
        option ip '192.168.1.63'

config domain
        option name 'element.mydomain.tld'
        option ip '192.168.1.63'

config domain
        option name 'jitsi.mydomain.tld'
        option ip '192.168.1.63'

config domain
        option name 'etherpad.mydomain.tld'
        option ip '192.168.1.63'


config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.63'
        option force '1'

config srvhost
        option srv '_submission._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '587'
        option class '0'
        option weight '1'

config srvhost
        option srv '_smtps._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '465'
        option class '0'
        option weight '1'

config srvhost
        option srv '_sieve._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '4190'
        option class '0'
        option weight '1'

config srvhost
        option srv '_pop3s._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '995'
        option class '0'
        option weight '1'

config srvhost
        option srv '_pop3._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '110'
        option class '0'
        option weight '1'

config srvhost
        option srv '_imaps._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '993'
        option class '0'
        option weight '1'

config srvhost
        option srv '_imap._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '143'
        option class '0'
        option weight '1'

config srvhost
        option srv '_carddavs._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '443'
        option class '0'
        option weight '1'

config srvhost
        option srv '_caldavs._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '443'
        option class '0'
        option weight '1'

config srvhost
        option srv '_autodiscover._tcp.mail.mydomain.tld'
        option target 'mail.mydomain.tld'
        option port '443'
        option class '0'
        option weight '1'

config host
        option name 'Living-Room'
        option ip '192.168.1.100'
        option mac '6C:63:9C:B3:14:96'

config host
        option ip '192.168.6.103'
        option mac '08:BF:B8:6D:BD:C2'

config dhcp 'GuestLAN'
        option interface 'GuestLAN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.63'
        option force '1'

config domain
        option name 'printer.local'
        option ip '192.168.7.148'

config dhcp 'VPNDHCP'
        option interface 'VPNDHCP'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config domain
        option name 'dns.mydomain.tld'
        option ip '192.168.1.63'

config domain
        option name 'roku.local'
        option ip '192.168.4.146'


opkg list | grep pkill
opkg install ....-pkill
        option dnsforwardmax '9999999'

Seriously? You will run out of outgoing port number in no time if something goes slow.

Sorry, that was me trying to troubleshoot to see if that was the issue and I never fixed it. I just set it back to 300. Here's the updated pkill command

root@OpenWrt:~# pkill -USR1 dnsmasq ; logread -e dnsmasq
Tue Jun 11 19:59:46 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 19:59:46 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 20:01:07 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 20:01:07 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 20:01:55 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy0-ap1) 192.168.3.167 6a:4d:9a:63:8b:f8
Tue Jun 11 20:01:55 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap1) 192.168.3.167 6a:4d:9a:63:8b:f8
Tue Jun 11 20:02:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 20:02:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1.3) 192.168.6.103 08:bf:b8:6d:bd:c2
Tue Jun 11 20:14:23 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.223 3e:8d:97:e4:06:59
Tue Jun 11 20:14:23 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.223 3e:8d:97:e4:06:59
Tue Jun 11 20:14:44 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.248 5e:0e:0a:d7:64:d9
Tue Jun 11 20:14:44 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.248 5e:0e:0a:d7:64:d9
Tue Jun 11 20:18:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPINFORM(phy0-ap1) 192.168.3.162 40:a3:cc:14:6e:c3
Tue Jun 11 20:18:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap1) 192.168.3.162 40:a3:cc:14:6e:c3 mj-win11
Tue Jun 11 20:18:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy0-ap1) 192.168.3.162 40:a3:cc:14:6e:c3
Tue Jun 11 20:18:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap1) 192.168.3.162 40:a3:cc:14:6e:c3 mj-win11
Tue Jun 11 20:19:52 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy0-ap3) 40:a3:cc:14:6e:c3
Tue Jun 11 20:19:52 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy0-ap3) 192.168.5.162 40:a3:cc:14:6e:c3
Tue Jun 11 20:19:52 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy0-ap3) 192.168.5.162 40:a3:cc:14:6e:c3
Tue Jun 11 20:19:52 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy0-ap3) 192.168.5.162 40:a3:cc:14:6e:c3 mj-win11
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 10000
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.3.100 -- 192.168.3.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.6.100 -- 192.168.6.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.7.100 -- 192.168.7.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.5.100 -- 192.168.5.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.4.100 -- 192.168.4.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 100.64.0.7#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 100.64.0.7#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 100.64.0.7#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.63#53
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 59 names
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Tue Jun 11 20:20:11 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: time 1718137299
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: cache size 10000, 0/108 cache insertions re-used unexpired cache entries.
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: queries forwarded 45, queries answered locally 66
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: pool memory in use 176, max 308, allocated 2200
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: child processes for TCP requests: in use 0, highest since last SIGUSR1 0, max allowed 20.
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: server 192.168.1.63#53: queries sent 81, retried 0, failed 0, nxdomain replies 5, avg. latency 0ms
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: server 100.64.0.7#53: queries sent 18, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: time 1718137299
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: cache size 10000, 0/108 cache insertions re-used unexpired cache entries.
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: queries forwarded 45, queries answered locally 66
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: pool memory in use 176, max 308, allocated 2200
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: child processes for TCP requests: in use 0, highest since last SIGUSR1 0, max allowed 20.
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: server 192.168.1.63#53: queries sent 81, retried 0, failed 0, nxdomain replies 5, avg. latency 0ms
Tue Jun 11 20:21:39 2024 daemon.info dnsmasq[1]: server 100.64.0.7#53: queries sent 18, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms

It is not realistic DNS usage pattern, at one moment you exceeded 150 inflight requests.

I'd like to update here that it appears the problem only happens to 5Ghz networks.

Well, you did not provide dns stats after >150 reqquests that once were caught happening at once.