Routing all LAN traffic through Zerotier

This is on a PI 4
I seem to be getting quite stuck.
Essentially this is to be a VPN access point at a remote site.
The device is a R Pi 4 and is all set up.

Pi is is accesible via Zerotier Ipv6 but not 4 currently it was but I'm just working through various setups to get it working.

I am remote to the Pi by about 1000km

I am very familiar with OpnSense but OpenWRT is more compatible with the Pi4 and is nice and light.

I am very familiar with SSH linux, unix etc.
I am obviously missing something can anyone help ?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thank you here is what we have.

root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "6.1.89",

}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'jjjjj/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.156'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.147.18.40'

config interface 'wan'
	option proto 'dhcp'
	option device '@lan'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config device
	option name 'zr7yd2k9'
	option acceptlocal '1'
	option ip6segmentrouting '1'
	option promisc '1'

config interface 'wifiLAN'
	option proto 'static'
	option device 'phy0-ap0'
	option gateway '10.147.18.40'
	option ip6gw 'IPv6_address_!'
	list ipaddr '192.168.56.1/24'

config interface 'zr7yd2k9'
	option proto 'none'
	option device 'zzr7yd2k9'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'wifiLAN'
	list notinterface 'lan'
	list notinterface 'wan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wifiLAN'
	option interface 'wifiLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option ra_useleasetime '1'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'zr7yd2k9'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option dest_port '9993'
	option src '*'
	option name 'Allow-ZeroTier-Inbound'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'zerotier'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'zr7yd2k9'
	list network 'zr7yd2k9'
	option masq '1'

config zone
	option name 'wifilan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wifiLAN'

config forwarding
	option src 'zerotier'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'zerotier'

config forwarding
	option src 'wifilan'
	option dest 'zerotier'

config forwarding
	option src 'zerotier'
	option dest 'wifilan'

config forwarding
	option dest 'wan'
	option src 'zerotier'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    inet 192.168.56.1/24 brd 192.168.56.255 scope global phy0-ap0
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.156/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 192.168.1.35/24 brd 192.168.1.255 scope global secondary br-lan
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-lan proto static src 192.168.1.35 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.156 
192.168.56.0/24 dev phy0-ap0 proto kernel scope link src 192.168.56.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.1.35 dev br-lan table local proto kernel scope host src 192.168.1.156 
local 192.168.1.156 dev br-lan table local proto kernel scope host src 192.168.1.156 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.156 
local 192.168.56.1 dev phy0-ap0 table local proto kernel scope host src 192.168.56.1 
broadcast 192.168.56.255 dev phy0-ap0 table local proto kernel scope link src 192.168.56.1 
0:	from all lookup local
32765:	from all lookup zerotier
32766:	from all lookup main
32767:	from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
3: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPV6_Add/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPV6_Add_c::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 IPv6_ADD/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
IPV6_Add_c::/64 dev br-lan proto static metric 1024 pref medium
unreachable IPV6_Add_c::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast IPV6_Add_c:: dev br-lan table local proto kernel metric 0 pref medium
local IPV6_Add_c::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local IPV6_Add dev phy0-ap0 table local proto kernel metric 0 pref medium
local IPv6_ADD dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
0:	from all lookup local
32766:	from all lookup main
lrwxrwxrwx    1 root     root            16 May 25 18:36 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 31 10:54 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 May 29 22:08 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            54 May 29 22:08 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 8.8.8.8

Something is missing here.

Remove this from the lan and wifiLAN interfaces.

thanks How do I route all traffic to another ZeroTier endpoint so that traffic goes out through the remote network LAN gateway.

Add a static route for prefix 0.0.0.0/0 via the gateway of the zerotier. It is not visible from the route commands and I don't know how you can find it.

I see how to route the traffic to another endpoint -
Sadly this didn't work I am continuing to look into it.
Thanks for help.