[Master] Guest network not working: 'DHCP packet received on wlan0 which has no address'

I'm running a master build on my RT-AC57U (ramips/mt7621 with DSA). The guest network had been working fine on 19.07 but re-applying my UCI script on the master build doesn't seem to yield the same results. The client is not getting an IP. I'm seeing the following message in logread:

daemon.warn dnsmasq-dhcp[6034]: DHCP packet received on wlan0 which has no address

Configuration:

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '6'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT40'
	option country 'SK'
	option legacy_rates '0'

config wifi-iface 'guest_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid '<redacted>'
	option encryption 'psk2+ccmp'
	option key '<redacted>'
	option isolate '1'
	option wpa_disable_eapol_key_retries '1'

/etc/config/network

config interface 'guest'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.1.1/24'

/etc/config/dhcp

config dhcp 'guest'
	option interface 'guest'
	option leasetime '3h'
	option start '40'
	option limit '21'
	list dhcp_option '3,10.0.1.1'
	list dhcp_option '6,10.0.1.1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

Grateful for any pointers. Fiancée's smartphone is still on Android 9 and won't work with the main WPA3 AP. She's getting a bit cross with me because the guest AP isn't working either

I would try using "option ipaddr" and "option netmask" instead of "list ipaddr".

That's how I had it before. I checked in LuCI of anything was amiss though, and it turns the default netmask (C class network) into /24 now, and a' list' instead of 'option'.

I've tried reverting but no difference.

Post the runtime configuration:

ip a; ip r; ip ru; iptables-save

Sorry @vgaetera I didn't have access to the router yet. I do now. Results below. If I'm understanding the error message right, it's complaining the wlan0 interface (guest radio) has no local network IP, while it's part of the guest network 10.0.1.1.

 # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc fq_codel state UP group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42b0:76ff:fe24:24bc/64 scope link 
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:b0:76:24:24:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.21/24 brd 192.168.178.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 2a02:578:8586:800:42b0:76ff:fe24:24b8/128 scope global dynamic noprefixroute 
       valid_lft 6949sec preferred_lft 3349sec
    inet6 fe80::42b0:76ff:fe24:24b8/64 scope link 
       valid_lft forever preferred_lft forever
4: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
7: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd84:f1c2:979e:10::f7a/128 scope global dynamic noprefixroute 
       valid_lft 22726sec preferred_lft 22726sec
    inet6 fd84:f1c2:979e:10::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::42b0:76ff:fe24:24bc/64 scope link 
       valid_lft forever preferred_lft forever
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.10.1/24 brd 10.0.10.255 scope global wg0
       valid_lft forever preferred_lft forever
23: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:b0:76:24:24:b8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42b0:76ff:fe24:24b8/64 scope link 
       valid_lft forever preferred_lft forever
24: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 40:b0:76:24:24:bc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42b0:76ff:fe24:24bc/64 scope link 
       valid_lft forever preferred_lft forever

# ip r
default via 192.168.178.1 dev wan proto static src 192.168.178.21 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1 
192.168.178.0/24 dev wan proto kernel scope link src 192.168.178.21

# ip ru
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

# iptables-save
# Generated by iptables-save v1.8.4 on Mon Sep 14 08:45:11 2020
*nat
:PREROUTING ACCEPT [34577:3019134]
:INPUT ACCEPT [2910:184168]
:OUTPUT ACCEPT [3904:296930]
:POSTROUTING ACCEPT [18261:1285402]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_postrouting - [0:0]
:zone_wg_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i usb0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg_prerouting
-A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_guest_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o usb0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg_postrouting
-A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_guest_postrouting
-A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.5/32 -p tcp -m tcp --dport 4505 -m comment --comment "!fw3: Salt 1 (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.5/32 -p tcp -m tcp --dport 4506 -m comment --comment "!fw3: Salt 2 (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.15/32 -p tcp -m tcp --dport 17654 -m comment --comment "!fw3: Rtorrent (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.15/32 -p udp -m udp --dport 17654 -m comment --comment "!fw3: Rtorrent (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.178.21/32 -p tcp -m tcp --dport 4505 -m comment --comment "!fw3: Salt 1 (reflection)" -j DNAT --to-destination 10.0.0.5:4505
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.178.21/32 -p tcp -m tcp --dport 4506 -m comment --comment "!fw3: Salt 2 (reflection)" -j DNAT --to-destination 10.0.0.5:4506
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.178.21/32 -p tcp -m tcp --dport 17654 -m comment --comment "!fw3: Rtorrent (reflection)" -j DNAT --to-destination 10.0.0.15:17654
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.178.21/32 -p udp -m udp --dport 17654 -m comment --comment "!fw3: Rtorrent (reflection)" -j DNAT --to-destination 10.0.0.15:17654
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 4505 -m comment --comment "!fw3: Salt 1" -j DNAT --to-destination 10.0.0.5:4505
-A zone_wan_prerouting -p tcp -m tcp --dport 4506 -m comment --comment "!fw3: Salt 2" -j DNAT --to-destination 10.0.0.5:4506
-A zone_wan_prerouting -p tcp -m tcp --dport 17654 -m comment --comment "!fw3: Rtorrent" -j DNAT --to-destination 10.0.0.15:17654
-A zone_wan_prerouting -p udp -m udp --dport 17654 -m comment --comment "!fw3: Rtorrent" -j DNAT --to-destination 10.0.0.15:17654
-A zone_wg_postrouting -m comment --comment "!fw3: Custom wg postrouting rule chain" -j postrouting_wg_rule
-A zone_wg_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wg_prerouting -m comment --comment "!fw3: Custom wg prerouting rule chain" -j prerouting_wg_rule
COMMIT
# Completed on Mon Sep 14 08:45:11 2020
# Generated by iptables-save v1.8.4 on Mon Sep 14 08:45:11 2020
*raw
:PREROUTING ACCEPT [1486999:951835384]
:OUTPUT ACCEPT [34458:3211729]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A PREROUTING -i wlan0 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Mon Sep 14 08:45:11 2020
# Generated by iptables-save v1.8.4 on Mon Sep 14 08:45:11 2020
*mangle
:PREROUTING ACCEPT [1487001:951835488]
:INPUT ACCEPT [16331:1728767]
:FORWARD ACCEPT [1466655:949060379]
:OUTPUT ACCEPT [34460:3212017]
:POSTROUTING ACCEPT [1500995:952265487]
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Sep 14 08:45:11 2020
# Generated by iptables-save v1.8.4 on Mon Sep 14 08:45:11 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_dest_ACCEPT - [0:0]
:zone_wg_forward - [0:0]
:zone_wg_input - [0:0]
:zone_wg_output - [0:0]
:zone_wg_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p udp -m udp --dport 8192 -m comment --comment "!fw3: Allow-Wireguard-Inbound" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i usb0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_input
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_guest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i usb0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_forward
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o usb0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_output
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_guest_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Guest WAN HTTP access" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Guest WAN HTTPS access" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Drop all further Guest traffic" -j zone_wan_dest_DROP
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -d 192.168.178.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Fritz!Box" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -d 192.168.178.1/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: Fritz!Box" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg forwarding policy" -j zone_wg_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o usb0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o usb0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_DROP -o wan -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_DROP -o usb0 -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o usb0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i usb0 -m comment --comment "!fw3" -j reject
-A zone_wg_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wg_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wg_forward -m comment --comment "!fw3: Custom wg forwarding rule chain" -j forwarding_wg_rule
-A zone_wg_forward -m comment --comment "!fw3: Zone wg to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wg_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wg_forward -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
-A zone_wg_input -m comment --comment "!fw3: Custom wg input rule chain" -j input_wg_rule
-A zone_wg_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wg_input -m comment --comment "!fw3" -j zone_wg_src_ACCEPT
-A zone_wg_output -m comment --comment "!fw3: Custom wg output rule chain" -j output_wg_rule
-A zone_wg_output -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
-A zone_wg_src_ACCEPT -i wg0 -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Mon Sep 14 08:45:11 2020

This should help:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/extra#resolving_race_conditions

Thanks, that doesn't seem to be changing anything however. Still seeing the DHCP packet received on wlan0 which has no address message.

# uci show network.guest
network.guest=interface
network.guest.proto='static'
network.guest.ip6assign='60'
network.guest.ipaddr='10.0.1.1/24'
network.guest.type='bridge'
network.guest.ifname='dummy0'

# uci show dhcp.guest
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.leasetime='3h'
dhcp.guest.start='40'
dhcp.guest.limit='21'
dhcp.guest.dhcp_option='3,10.0.1.1' '6,10.0.1.1'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra='server'
dhcp.guest.ra_management='1'
dhcp.guest.force='1'

lsmod | grep -e dummy; brctl show; ip address show dev br-guest

Remove the "ifname dummy0" option.

# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.40b0762424bc	no		lan1
							lan2
							lan3
							lan4
							wlan1

The br-guest device did not show up, but an ifdown guest / ifup guest made it show:

# ip addr show br-guest
25: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:b0:76:24:24:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.1/24 brd 10.0.1.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fd84:f1c2:979e::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a02:578:8586:8fc::1/62 scope global dynamic noprefixroute 
       valid_lft 6324sec preferred_lft 2724sec
    inet6 fe80::42b0:76ff:fe24:24b8/64 scope link 
       valid_lft forever preferred_lft forever

That is showing now, and the client is getting an IP again - so progress! Thanks! However, the (Android) client shows 'connected but no internet'. I'll need to fiddle a bit to be able to ping and diagnose. But I'm suspecting no DNS.

But keep the "bridge" type?

What is the output?

Are you sure this is enough to resolve the race condition?

Keeping the dummy interface should make the bridge work even before the wireless becomes ready.
Otherwise, there's no child interface and the bridge cannot be configured when netifd starts.

I never used a dummy interface, and never had race condition issues... but perhaps there is some issue and I am not aware of it.

@vgaetera I don't have the dummy module loaded or compiled in, so setting the device type to 'bridge' seemed to suffice to get rid of the DHCP packet received on wlan0 which has no address.

To be sure, I removed the ifname dummy0 line, and restarted the interface. The client gets an IP just fine now. So it looks like you don't need the dummy module and line.

Still looking into the 'no connectivity' issue on the client. Will update once I've got root on that freaking tablet.

Edit: so pinging 10.0.1.1 from the client works, DNS resolution seems to work as well. But pinging anything outside the LAN does not work (e.g. 9.9.9.9 will return 'From 10.0.1.1: Destination Port Unreachable'.

It looks like DNS (so Unbound) is working since I am seeing debug info being printed e.g. when I try pinging tweakers.net, and the ping command prints the matching IP.

Unbound debug log

Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: resolving tweakers.net. A IN
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: response for tweakers.net. A IN
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: reply from <tweakers.net.> 213.239.154.33#53
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: query response was ANSWER
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: NSEC3s for the referral proved no DS.
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: Verified that unsigned response is INSECURE
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: resolving 1.1.0.10.in-addr.arpa. PTR IN
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: response for 1.1.0.10.in-addr.arpa. PTR IN
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: reply from <1.0.10.in-addr.arpa.> 127.0.0.1#54
Tue Sep 15 12:23:16 2020 daemon.info unbound: [9549:0] info: query response was ANSWER

So there's something else wrong. What should I be looking at?

These are the firewall settings for the guest network:

config zone
	option name 'guest'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	option src 'guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Guest WAN HTTP access'
	option target 'ACCEPT'
	option src 'guest'
	option dest 'wan'
	option proto 'tcp'
	option dest_port '80'

config rule
	option name 'Guest WAN HTTPS access'
	option target 'ACCEPT'
	option src 'guest'
	option dest 'wan'
	option proto 'tcp'
	option dest_port '443'

config rule
	option name 'Drop all further Guest traffic'
	option target 'DROP'
	option src 'guest'
	option dest 'wan'
	option proto 'all'

Trying telnet tweakers.net 80 (which should work since the port is explicitly allowed) gives 'connection refused'.

Okay, so as a followup, there seemed to be some weirdness with the firewall rules for the guest network.

I disabled the guest zone rules in LuCI. Hit 'Save & Apply'. Re-enabled them. Hit 'Save & Apply'. And now the guest network works again. Go figure.

Not the first time I've seen this kind of weirdness with firewall rules...

This sort of issue is best troubleshoot starting from the runtime configuration.