Issue with MX4300 extending Dumb AP with 2 VLANs, no internet from AP

I'm basically wondering if someone can validate my configuration since this will help me determine if I'm facing a bug with this particular router/firmware combination or if this is user error. I've tried following the available guides and I believe this is correct at least. Thanks.. configuration details below:

I’ve installed Openwrt SNAPSHOT from the firmware selector on two MX4300. If I use the main router on it's own, everything works as expected. However, when I connect the dumb AP to the router using a trunk port, I am not able to reach the internet from the dumb AP, clients receive a DHCP address but cannot access the internet or ping the DHCP server (192.168.10.1).

I'm not experienced enough to go much further on my own so I appreciate the help. I've posted the output of route for each AP (I thought it was suspicious that there is no default route for my main lan 192.168.10.0 on the dumb AP, but I didn't configure it to be that way explicitly as far as I'm aware).

Main Router - MX4300

  VLAN10 - Trusted LAN
  VLAN20 - Untrusted LAN
  Br-lan with Ports tagged as follows
  Private SSID and Guest SSID
  AdguardHome setup using the wiki here: https://openwrt.org/docs/guide-user/services/dns/adguard-home

Notes:

  1. Everything works as expected on both VLANS, ethernet and wifi, connecting directly to this router (both ethernet and wifi) without the dumb AP connected.
  2. With second AP plugged in, I can access the second AP web interface at 192.168.10.2/ping it successfully.

Dumb AP - MX4300

  VLAN10 - Trusted LAN
  VLAN20 - Untrusted LAN
  Br-lan with Ports tagged as follows

Same port configuration as above screenshot (I can only post one embedded image as a new user, sorry)

Notes:

  1. Internet is not accessible from the AP itself (through ssh, ping to google fails for example)
  2. Clients successfully get DHCP address from main router, but cannot ping main router or access internet
  3. As seen in the screenshots, the router and the AP are connected on lan3

Things I’ve tried

  1. Reverting to 24.10.1 the dumb AP but have since put it back to the same snapshot build to continue troubleshooting (haven't tried the main router yet)
  2. Eliminating long ethernet cable run and testing the AP side-by-side with a the router (current setup until I can get everything working)

Details about the configurations for each router (apologies for the formatting, not sure how to do this correctly):

Main router config -

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fd34:f0e1:964::/48'
	option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option bridge_empty '1'
        option igmp_snooping '1'

config device
        option name 'lan1'
        option macaddr '***'

config device
        option name 'lan2'
        option macaddr '***'

config device
        option name 'lan3'
        option macaddr '***'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.10.1/24'

config interface 'guest'
        option device 'br-lan.20'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.20.1/24'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2'
        list ports 'lan3:t'

config interface 'wg'
        option proto 'wireguard'
        option private_key '***'
        option listen_port '***'
        list addresses '10.12.0.1/32'
…wg clients below, redacted

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option port '54'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        option dhcpv6 'server'
        list dhcp_option '3,192.168.10.1'
        list dhcp_option '6,192.168.10.1'
        list dhcp_option '15,lan'
        list dns 'fd34:f0e1:964:10::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wg'
        option interface 'wg'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '3,192.168.20.1'
        list dhcp_option '6,192.168.20.1'

/etc/config/firewall

…All defaults except for the following (not sure if this is even necessary):

config rule
        option src 'untrusted'
        option name 'Guest DHCP and DNS'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option dest 'trusted'

Route output:

root@OpenWrt:~# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default REDACTED_IP 0.0.0.0 UG 0 0 0 wan

10.12.0.2 * 255.255.255.255 UH 0 0 0 wg

10.12.0.3 * 255.255.255.255 UH 0 0 0 wg

10.12.0.4 * 255.255.255.255 UH 0 0 0 wg

REDACTED_IP REDACTED_IP 255.255.255.255 UGH 0 0 0 wan

REDACTED_IP * 255.255.254.0 U 0 0 0 wan

192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan.10

192.168.20.0 * 255.255.255.0 U 0 0 0 br-lan.20

Dumb AP configuration:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option ula_prefix 'fd34:f0e1:964::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option igmp_snooping '1'
        option macaddr '***'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr '***'

config device
        option name 'lan2'
        option macaddr '***'

config device
        option name 'lan3'
        option macaddr '***'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'

config interface 'guest'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.2'
        option netmask '255.255.255.0'
        option gateway '192.168.20.1'
        option dns '192.168.20.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2'
        list ports 'lan3:t'

/etc/config/dhcp (both interfaces set to ignore)

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option port '54'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '3,192.168.10.1'
        list dhcp_option '6,192.168.10.1'
        list dhcp_option '15,lan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wg'
        option interface 'wg'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '3,192.168.20.1'
        list dhcp_option '6,192.168.20.1'
        list dhcp_option '15,lan'
        option ignore '1'

Default routes:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.20.1    0.0.0.0         UG    0      0        0 br-lan.20
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan.10
192.168.20.0    *               255.255.255.0   U     0      0        0 br-lan.20

You dont run any dhcp server on vlan 10 / vlan 20 , clients can communicat, just not the normal way using IPv4 addresses.

Thanks for reading through the post. How do you recommend setting up the DHCP server? Not really confident I understand the alternative you're implying

Remove the last two lines:

Removr those same two lines here and also gbf macaddr.

On the ap, make the guest network unmanaged like this:

config interface 'guest'
        option device 'br-lan.20'
        option proto 'none'

Restart both devices and test again. If it doesn’t work, let’s see the complete firewall configuration.

Applied the suggested changes. Still can't access internet from AP. Observed behavior is as follows

  1. Can no longer ping 192.168.10.2 (AP VLAN10) or access AP web ui when connected from Router A VLAN10 SSID.
  2. Internet still works connected from Router A VLAN10 and VLAN20.
  3. Still can get IP address from DHCP on VLAN10 when connected to AP (VLAN10 SSID).
  4. Cannot ping Router A when connected from AP (Ethernet VLAN10 or SSID VLAN10).
  5. Cannot ping Router A or access internet from AP on guest (VLAN20), but DHCP still works and an address in the 192.168.20.x range is given.

Full firewall config for Router A:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '0'
	option synflood_protect '1'

config zone
	option name 'trusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'trusted'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'trusted'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'trusted'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'

config zone
	option name 'untrusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'untrusted'
	option dest 'wan'

config rule
	option src 'untrusted'
	option name 'Guest DHCP and DNS'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option dest 'trusted'

Double check your connections... make sure that port lan3 on the router is connected directly to port lan3 on the AP. There should be nothing in-between (i.e. no switches).

I took a picture of the connections here, I'm also standing right next to this setup. Left is AP and right is Router A. Top cable is lan3 (trunk, I've tried another ethernet cable as well), bottom cable (wan, Router A) goes to modem.

Do you think this is a but in OpenWRT, if everything else checks out? Not sure where to go from here. Thanks for helping out so far!

Router A VLAN filtering:

AP VLAN filtering:

Let's review the complete configs of both devices:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Ok here's the full config. One thing I can note is that lan1,lan2,lan3 all have the same MAC address for both Router A and AP, but not sure if this is significant.

Router A, also has adguardhome running on port 53:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.33",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys MX4300",
	"board_name": "linksys,mx4300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r30072-98ead2c70f",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt SNAPSHOT r30072-98ead2c70f",
		"builddate": "1749724935"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fd34:f0e1:964::/48'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr  'XX:XX:XX:XX:XX:87'

config device
	option name 'lan2'
	option macaddr  'XX:XX:XX:XX:XX:87'

config device
	option name 'lan3'
	option macaddr 'XX:XX:XX:XX:XX:87'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.10.1/24'

config interface 'guest'
	option device 'br-lan.20'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.20.1/24'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2'
	list ports 'lan3:t'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	list addresses '10.12.0.1/32'

config wireguard_wg
	option description 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	list allowed_ips '10.12.0.2'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'
	option preshared_key 'REDACTED'

config wireguard_wg
	option description 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '10.12.0.3'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'

config wireguard_wg
	option description 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '10.12.0.4'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'lan_disabled'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option disabled '1'
	option multicast_to_unicast_all '1'
	option ieee80211r '1'
	option ft_over_ds '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'home_N'
	option network 'guest'
	option encryption 'psk2'
	option key 'REDACTED'
	option multicast_to_unicast_all '1'
	option isolate '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+2'
	option band '5g'
	option channel '153'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'home'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option multicast_to_unicast_all '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'lan_disabled'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option network 'lan'
	option disabled '1'
	option multicast_to_unicast_all '1'
	option ieee80211r '1'
	option ft_over_ds '0'

config wifi-iface 'wifinet5'
	option device 'radio2'
	option mode 'ap'
	option ssid 'lan_disabled'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option key 'REDACTED'
	option network 'lan'
	option ocv '0'
	option disabled '1'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest_disabled'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option key 'REDACTED'
	option ocv '0'
	option network 'guest'
	option disabled '1'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest_disabled'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option isolate '1'
	option key 'REDACTED'
	option ocv '0'
	option network 'guest'
	option disabled '1'

config wifi-iface 'wifinet8'
	option device 'radio2'
	option mode 'ap'
	option ssid 'home_guest'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option isolate '1'
	option key 'REDACTED'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ocv '0'
	option network 'guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option port '54'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	option dhcpv6 'server'
	list dhcp_option '3,192.168.10.1'
	list dhcp_option '6,192.168.10.1'
	list dhcp_option '15,lan'
	list dns 'fd34:f0e1:964:10::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wg'
	option interface 'wg'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '3,192.168.20.1'
	list dhcp_option '6,192.168.20.1'
	list dhcp_option '15,lan'
	list dns 'fd34:f0e1:964:10::1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '0'
	option synflood_protect '1'

config zone
	option name 'trusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'trusted'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'trusted'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'trusted'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'

config zone
	option name 'untrusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'untrusted'
	option dest 'wan'

config rule
	option src 'untrusted'
	option name 'Guest DHCP and DNS'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option dest 'trusted'

AP config:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.33",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys MX4300",
	"board_name": "linksys,mx4300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r30072-98ead2c70f",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt SNAPSHOT r30072-98ead2c70f",
		"builddate": "1749724935"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fd34:f0e1:964::/48'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr 'XX:XX:XX:XX:XX:87'

config device
	option name 'lan2'
	option macaddr 'XX:XX:XX:XX:XX:87'

config device
	option name 'lan3'
	option macaddr 'XX:XX:XX:XX:XX:87'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'

config interface 'guest'
        option device 'br-lan.20'
        option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2'
	list ports 'lan3:t'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port 'REDACTED'
	list addresses '10.12.0.1/32'

config wireguard_wg
	option description 'REDACTED'
	option public_key REDACTED'
	option private_key 'REDACTED'
	list allowed_ips '10.12.0.2'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'
	option preshared_key 'REDACTED'

config wireguard_wg
	option description 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '10.12.0.3'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'

config wireguard_wg
	option description REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '10.12.0.4'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'home_disabled'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option multicast_to_unicast_all '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'home_N_disabled'
	option network 'guest'
	option encryption 'psk2'
	option key 'REDACTED'
	option multicast_to_unicast_all '1'
	option isolate '1'
	option disabled '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+2'
	option band '5g'
	option channel '153'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'home_disabled'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option disabled '1'
	option multicast_to_unicast_all '1'
	option ieee80211r '1'
	option ft_over_ds '0'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'home_disabled'
	option encryption 'sae'
	option key 'REDACTED'
	option ocv '0'
	option network 'lan'
	option disabled '1'
	option multicast_to_unicast_all '1'
	option ieee80211r '1'
	option ft_over_ds '0'

config wifi-iface 'wifinet5'
	option device 'radio2'
	option mode 'ap'
	option ssid 'home_lan'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option key 'REDACTED'
	option network 'lan'
	option ocv '0'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'home_guest_disabled'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option key 'REDACTED'
	option ocv '0'
	option network 'guest'
	option disabled '1'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'home_guest_disabled1'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option isolate '1'
	option key 'REDACTED'
	option ocv '0'
	option network 'guest'
	option ieee80211r '1'
	option ft_over_ds '0'
	option disabled '1'

config wifi-iface 'wifinet8'
	option device 'radio2'
	option mode 'ap'
	option ssid 'home_guest1'
	option encryption 'sae'
	option multicast_to_unicast_all '1'
	option isolate '1'
	option key 'REDACTED'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ocv '0'
	option network 'guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option port '54'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '3,192.168.10.1'
	list dhcp_option '6,192.168.10.1'
	list dhcp_option '15,lan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wg'
	option interface 'wg'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '3,192.168.20.1'
	list dhcp_option '6,192.168.20.1'
	list dhcp_option '15,lan'
	option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '0'
	option synflood_protect '1'

config zone
	option name 'trusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'trusted'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'trusted'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'trusted'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'

config zone
	option name 'untrusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'untrusted'
	option dest 'wan'

config rule
	option src 'untrusted'
	option name 'Guest DHCP and DNS'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option dest 'trusted'

config forwarding
	option src 'trusted'
	option dest 'untrusted'

Yes, that is a major issue.

It's okay for all of the lan ports on a device have the same MAC, but different devices must have different MACs.

Also, is there a reason you're using snapshots??

Ok thanks for confirming the MAC address issue. I can try changing the MAC addresses for the AP and see what happens.

In regards to the snapshot -- 24.10.1 builds have an issue where the web ui does not allow you to click "save" if you have a VLAN setup such as mine and try to add an SSID to that network. I was able to work around this by updating the luci packages or editing the config from ssh. However, I have another MX4300 running on a snapshot build with 8 months of uptime and 0 issues (although, single device no VLAN setup or anything) so I thought I would give the snapshot a try here.

Do you recommend 24.10.1 instead?

Generally yes, but it seems you have a reason to be on Snapshot. I have seen a few isolated threads (maybe one of yours) about this LuCI issue, but I haven't experienced it myself (although I don't do as much with LuCI). I don't know the details as to why that is happening and if it is a bug or something else.

Great news! I'm replying to you from the AP, all is working now that I changed the MAC addresses for the AP to be different from the router. This must be some rookie/common mistake that I overlooked when using two routers that are the same model. Thanks so much for the help!

One strange thing now is that the speed is abysmal through the AP

Rotuer speed test:

Why does the AP have wireguard stuff configured? Among many other things, it looks like you tried to copy the configuration from one to the other. That won’t work properly. The AP should be largely simple in its configuration.

Yes I did use the router config as a base configuration, that seems to be where my initial problems came from. I think I might reset this AP and try configuring from scratch now that this setup has been validated. Let me try that really quick.

I configured the AP from scratch with only VLAN tagging and the necessary bridges and I'm still getting the same result, speed is about this through both ethernet and WIFI. In the bridge advanced settings where the VLAN tagging is done the connection shows 1000FD.

My original issue is technically "solved" but this other issue leaves it pretty much unusable. I could try 24.10.1 on both devices I guess, not sure what else could be wrong.

Speedtest shown is through ethernet.

Yeah. Reset your ap to defaults and then configure with the bridged ap guide. Do this just for the main network and then add the second on as unmanaged.

Because the initial config will be assuming untagged connections use one of the other lan ports for this config process.

You gave me an idea actually so I tried just now connecting the router and AP from lan1 -> lan1 to avoid the trunk port. I'm seeing better results through the speed test:

Edit: So I'm not sure if this device is simply too slow for the VLANs or maybe there's a bug somewhere if my config looks good. Btw I reset the AP and configured the same VLAN tagging and followed the steps in the "Dumb AP" guide.

Couple of issues that I encountered here:

  1. MAC addresses were the same for the Router and AP due to copying and pasting the config from one to the other. Fixed with @psherman's advice.
  2. Slowness over the wired trunk line even after fixing #1 - Finally found a related openwrt OPEN bug here that solves the issue. Setting rx-gro-list to off on the trunk port (router and AP) fixed the speed issues. Note: router already had it off somehow but the AP didn't for me: https://github.com/openwrt/openwrt/issues/19195#issuecomment-2993472302