Hello,
I updated my DNS config, to ensure I also provide IPv4 DNS and not only IPv6 DNS to each client.
Adding list dhcp_option for LAN worked.
list dhcp_option '6,192.168.0.1'
list dhcp_option '3,192.168.0.1'
list dns 'aaaa:bbbb:cccc:ddd1::1'
For guest network I could only add
list dhcp_option '6,192.168.0.1'
Adding for guest, '3,192.168.0.1' I cannot connect anymore. What is the different between 3, and 6,? Cannot find any hint in Wiki yet.
Before you change settings consider first reading up on the subject 
DNS and gateway are already set to the routers address by default so no need to add it
DHCP Option No. 3 is gateway
DHCP Option No. 6 is DNS (Name) Servers
You set a wrong gateway IP for the Guest network.
As @egc noted, you don't have to add these options.
Hello many thanks for link, that's what I was looking for.
I unterstand that "3," Gateway should not be added, as already defined for different guest network IP with 192.168.10.1.
Domain Name Server "6" nevertheless it seems - that I must add otherwise the network is not getting proper IP4 default gateway, only for IPv6 is provided... In LUCI Use default gateway is checked.
Since Option No. 6 is DNS, can you explain why you think you're getting the wrong gateway?
By chance, did you block input or forwarding on the Guest network firewall?
In WAN or Guest?
To be clear - only WAN should have a gateway configured, this is usually done automatically by DHCP.
or Guest?
To be clear - only WAN should have a gateway configured, this is usually done automatically by DHCP.
Yes Guest Network has the issue. Default Gateway is provided, but DNS Server IP(4) not.Adding the line to guest, I works and all fine.
Relevant config - ISP provide IPv6 prefix only, IPv4 is public only
config dhcp 'lan'
option interface 'lan'
option start '50'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.0.1'
list dhcp_option '3,192.168.0.1'
list dns 'aaaa:bbbb:cccc:ddd1::1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.0.1'
If left unspecified, the router will automatically send its own address as DHCP advertisements for both the gateway and DNS server (options 3 and 6, respectively).
It does appear that it can be necessary under certain circumstances to send these options when people have installed Adguard or other DNS modifying packages.
Let's see the complete config files to better understand the potential issues:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
On the guest interface, you must announce the router's IP address for that interface, not the address for the LAN interface.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'aaa:bbbb:6ba1::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'Wireguard'
option proto 'wireguard'
option private_key '...='
option listen_port '51xxx'
option delegate '0'
option ip6assign '64'
option ip6hint '7'
list addresses '192.168.1.1'
config wireguard_Wireguard
option description 'Mobile'
list allowed_ips '192.168.1.2/32'
list allowed_ips 'aaaa:bbbb:cccc:ddd7::2/128'
option endpoint_port '51xxx'
option persistent_keepalive '25'
option endpoint_host 'xxxx.xxx'
option route_allowed_ips '1'
.... & mac ID configs removed ...
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '64'
option delegate '0'
option ip6hint '1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '56'
config interface 'guest'
option proto 'static'
option device 'phy0-ap0'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '5353'
option noresolv '0'
list server '192.168.0.1'
config dhcp 'lan'
option interface 'lan'
option start '50'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.0.1'
list dhcp_option '3,192.168.0.1'
list dns 'aaaa:bbbb:cccc:ddd1::1'
config dhcp 'wan'
option interface 'wan'
option ignore β1'
.... mac ID configs removed ...
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.0.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG'
list proto 'udp'
option src 'wan'
option src_dport '518xx'
option dest_ip 'aaaa:bbbb:ccccc:dddd1::1'
option dest_port '518xx'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option name 'guest'
config forwarding
option dest 'wan'
config forwarding
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guest DHCP'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'guest dns'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
Whether queried by IPv4 or IPv6 a DNS server will show both the IPv4 and the IPv6 address of a domain name, the OS decides which one to use, modern windows often favours using IPv6.
You can instruct DNSMasq to only show IPv4 addresses to your clients (filter-AAAA)
I looked at your config but there is so much room for improvement that I do not know where to start 
In your network file, create a bridge for the guest network:
config device
option name 'br-guest'
option type 'bridge'
option bridge_empty '1'
Then edit the guest network so that it looks like this (remove the gateway, update the device):
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
Change the DHCP option 6 to 192.168.10.1 for the guest network:
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.10.1'
Disable masquerading on the lan zone:
Since you didn't share your Wireguard configuration, we don't know the context for how it is used. If it requires masquerading, remove it from the lan firewall zone and create a new zone for wireguard with masquerading enabled (and add lan > wireguard forwarding).
Delete these:
Reboot and test again.
yes its a fresh install with making ISP work, Wireguard and adguard to make it run.
If you have ideas to improve Iam happy for proposal!
Regardinds IPv4 DNS, e.g. our TV & a tonie Box did only get IPv6 and IPv4 was empty. So a least until know it works but if not a good config, surely happy to make more robust as long as it works...
Yes sorry cutted too much, updated abouve in network section.
Ok. Based on the config, wireguard doesnβt need masquerading, but it can stay in the lan zone. Disable masquerading on the lan zone.
Thanks again - hope I included now all corrections and seems to work fine so far.
Next step - I want to establish at least one new VLAN for guest network, that my external TP_Link WIFI-MESH is only running in guest network .
Here revised config - at @egc - if there are futher major flaws or safety items, please feedback.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'aaaa:bbbb:cccc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '64'
option delegate '0'
option ip6hint '1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '56'
config interface 'Wireguard'
option proto 'wireguard'
option private_key ''
option listen_port '51xxx'
option delegate '0'
option ip6assign '64'
option ip6hint '7'
list addresses '192.168.1.1'
config wireguard_Wireguard
option description 'Mobile'
option public_key ''
option private_key ''
option preshared_key ''
list allowed_ips '192.168.1.2/32'
list allowed_ips 'aaaa:bbb:cccc:ddd7::2/128'
option endpoint_port '51xxx'
option persistent_keepalive '25'
option endpoint_host 'aaa.eu'
option route_allowed_ips '1'
config device
option name 'br-guest'
option type 'bridge'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '5353'
option noresolv '0'
list server '192.168.0.1'
config dhcp 'lan'
option interface 'lan'
option start '50'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.0.1'
list dhcp_option '3,192.168.0.1'
list dns 'aaaa:bbbb:cccc:ddd1::1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '150'
option leasetime '12h'
list dhcp_option β6,192.168.10.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG'
list proto 'udp'
option src 'wan'
option src_dport '51xxx'
option dest_ip 'aaaa:bbbb:cccc:ddd1::1'
option dest_port '51xxx'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option name 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guest DHCP'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'guest dns'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
The leading authority on these matters is psherman so you should always follow his lead 
Still a few remarks.
You can assign a GUA addreess on the WG interface but it is usually not done as it is not very convenient as prefixes change and the clients do not change automatically with it (there are ways to deal with this) so if you want to assign an IPv6 address you usually use an ULA address which you administer so that you also use the same ULA subnet for your WG clients (peers)
Using an 192.168.1.1 address is not recommended as this is frequently used already.
WireGuard is a routed solution so the server side, the WG subnet and the client side all need to be unique
Besides as WG address always use a /24 e.g. 172.17.17.1/24
option persistent_keepalive and option endpoint_host are not necessary on the server side and can be removed
I would remove list server '192.168.0.1` this options specifies an upstream DNS server to use, this is the server itself so you create a loop, DNSMasq is smart enough to not use so no harm done
list dhcp_option '6,192.168.0.1' and list dhcp_option '3,192.168.0.1' are redundant, if setup correctly DNSMasq will handout the routers address as gateway and DNS server
list dns 'aaaa:bbbb:cccc:ddd1::1' if this is the routers address see earlier comment
list dhcp_option β6,192.168.10.1' this has a syntax error besides it should be redundant as DNSMasq handouts the routers address (192.168.10.1) already as DNS server
A simple traffic rule is enough so instead of the above you can use:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51xxx'
option proto 'udp'
option target 'ACCEPT'
none of these things are show stoppers so it probably will work anyway , so if you are happy I am happy
Well simplification is always welcome! Also would be nicer if e.g. config host would be in end of dhcp, to have nicer readable config...
Regarding Wireguard will check for fix IPv6 entries but never changed so far, rest was added to create appropriate 3D-barcode for different clients ...
Taking out list server in dnsmasq, fine so far.
But on the dhcp 'lan' and 'guest' for Gateway "6,", old devices are not receiving a IPv4 without. Not sure on cause, see start of threat but works like this.
That should not be necessary so there must be something odd in your setup but if it works for you ok
But on dnsmasq seems fine, can adguard be part of challange?
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '5353'
option noresolv '0'
If you use Adguard for DNS then that problably is the problem indeed.
I do not use adguard it is too bloated for my taste and does not do anything adblock, http-dns proxy together with dnsmasq can do but that is just my personal taste/opinion
Edit: I totally missed that you are using Adguard.and I missed this in DNSMasq config which could give me an indication what was going on
DNSMasq is not listening on port 53 and thus is not sending its own address as DNS server that now is the responsibility of your Adguard.
So you have made a setup error in Adguard, I can remember that in the Adguard config file (resolv.conf?) you have to add the routers address so that Adguard will send this address as DNS server @frollic knows more about this
Search the forum about this so that you can sanitize your DNSMasq config