thank you for this, my dnsmasq now reads:
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option authoritative '1'
my wan interface is now:
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
Apple devices working well now - thanks so much!
I suspect that the reason for most of these changed settings must have been either a previous vpn provider suggestion or an uneducated attempt to block dns leaks. I set up this router long ago originally.
I have just now followed this guide (only the first part - Web interface instructions) and it seems to be blocking dns leaks now:
I also noted your point about mixed mode and have set it to use just wpa2-psk on both SSIDs now.
Regarding the firewall vpn kill switch you mentioned, I have now followed (probably re-followed given that the zone was already set up) the instructions here:
WAN and VPN are both input=reject, output=accept, forward=reject, enable masquerading
One point I'm not clear on - what should the settings be for the LAN -> vpn row (in Luci this is)
currently I have input=accept, output=accept, forward=accept, disable masquerading. Is that correct or should it match the others?
Thanks again!!