I have been following a video OneMarcFifty Configuring OpenWRT to set up OpenWRT. I have used DD-WRT for a long time, but only its basics as my network was monolithic. I wanted to segment my network so I bought some TP-Link routers and installed OpenWRT and proceeded to follow the video linked to verbatim.
Everything is working, but when I connect to the WiFi AP's, I get a DHCP address appropriate to the zone, but have no internet access. I am about to pull my hair out trying to figure this out because I know it has to be something incredibly simple I am missing. I am hoping someone here will be able to help out.
dnsmasq
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option start '100'
option limit '150'
option interface 'GUEST'
option leasetime '2h'
config dhcp 'IOT'
option start '100'
option limit '150'
option interface 'IOT'
option leasetime '4h'
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.3'
option delegate '0'
option ifname 'eth1.10'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.20'
option peerdns '0'
option force_link '1'
list dns '9.9.9.9'
list dns '208.67.220.220'
list dns '103.86.96.100'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '10'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 1'
option vid '20'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '99'
config interface 'GUEST'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '172.16.10.1'
config interface 'IOT'
option type 'bridge'
option proto 'static'
option delegate '0'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
option delegate '0'
wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option country 'US'
option htmode 'VHT20'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option country 'US'
config wifi-iface 'wifinet0'
option device 'radio1'
option hidden '1'
option ieee80211r '1'
option mode 'ap'
option ft_psk_generate_local '1'
option ft_over_ds '0'
option ssid 'ArticleTwo'
option key '*********'
option encryption 'psk-mixed'
option network 'IOT'
config wifi-iface 'wifinet1'
option device 'radio1'
option isolate '1'
option ieee80211r '1'
option mode 'ap'
option ft_psk_generate_local '1'
option ft_over_ds '0'
option ssid 'RedDirt-Guest'
option key '*********'
option encryption 'psk-mixed'
option network 'GUEST'
config wifi-iface 'wifinet2'
option ssid 'ArticleOne'
option device 'radio0'
option hidden '1'
option key '*********'
option mode 'ap'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211r '1'
option isolate '1'
option encryption 'psk-mixed'
option network 'GUEST'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option name 'GuestZone'
option output 'ACCEPT'
option input 'REJECT'
option network 'GUEST'
option family 'ipv4'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'IoTZone'
option output 'ACCEPT'
option network 'IOT'
option family 'ipv4'
config forwarding
option dest 'IoTZone'
option src 'lan'
config rule
option dest_port '53 67 68'
option src 'GuestZone'
option name 'Guest-DNS-DHCP'
option family 'ipv4'
option target 'ACCEPT'
config zone
option network 'VPN'
option name 'NordVPN'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'NordVPN'
option src 'lan'
config forwarding
option dest 'wan'
option src 'GuestZone'
Please, be gentle, I am new to OpenWRT if that is not already obvious.