Routing issues with OpenWrt

Hello all
can you help with this .
default via x.x.x. dev eth3 proto static metric 40
10.0.0.0/8 via 10.78.13.10 dev eth0 proto static metric 56
10.0.70.48/29 via 10.78.15.10 dev eth2 proto bird metric 32
10.0.71.192/27 via 10.78.15.10 dev eth2 proto bird metric 32
10.78.13.0/24 dev eth0 proto static scope link metric 56
10.78.14.0/24 dev eth1 proto static scope link metric 52
10.78.15.0/24 dev eth2 proto static scope link metric 50
10.78.16.0/20 via 10.78.15.10 dev eth2 proto bird metric 32
10.78.20.0/24 via 10.78.15.10 dev eth2 proto bird metric 32
10.78.21.0/24 via 10.78.15.10 dev eth2 proto bird metric 32
10.78.22.0/24 via 10.78.15.10 dev eth2 proto bird metric 32
10.78.89.0/24 dev wg0 proto kernel scope link src 10.78.89.1
10.78.89.58 dev wg0 proto static scope link
10.78.90.0/24 dev tun0 proto kernel scope link src 10.78.90.1
10.78.91.0/24 dev tun1 proto kernel scope link src 10.78.91.1
155.,x,x,29 dev eth3 proto static scope link metric 40
172.16.0.0/12 via 10.78.13.10 dev eth0 proto static metric 56
192.168.0.0/16 via 10.78.13.10 dev eth0 proto static metric 56

i can no longer connect to a remote network 10.0.70.54. this ip connects to an interface on my lan router with an ip of 10.0.70.49
my setup is this.
two routers wan0 and lan0
lan0 has multiple interfaces of which 10.0.70.49 is one of them.
10.0.70.49 is connected to 10.0.70.54 via layer 2 link. before now i could ping the 10.0.70.54 (my gateway)

this gateway 10.0.70.54 can be reached via routing table created for just this network. below is the routing information
default via 10.0.70.54 dev eth7 proto static metric 58
10.0.0.0/16 via 10.0.70.54 dev eth7 proto static src 10.0.70.49 metric 58 onlink
10.0.70.48/29 dev eth7 proto static scope link metric 58
10.0.71.192/27 dev eth7 proto static scope link metric 58

this is the lan0 routing table for this network.
while the first routing information is for the wan0 router.

this interface is natted and firewall applied.
everything has been working until now.
i am new to routing and hence need help in determining if the issue is from my network or if its external.
below is my firewall config on lan router
root@lan0-qu:~# cat /etc/config/firewall
config include
option type 'nftables'
option path '/etc/acl/rules/input.nft'
option position 'chain-pre'
option chain 'input'
option enabled '0'

config include
option type 'nftables'
option path '/etc/acl/rules/forward.nft'
option position 'chain-pre'
option chain 'forward'
option enabled '0'

config include
option type 'script'
option path '/etc/acl/bin/acl.sh'
option fw4_compatible '1'
option enabled '0'

config include
option type 'script'
option path '/etc/acl/bin/o365.sh'
option fw4_compatible '1'
option enabled '0'

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
list network 'def'
list network 'dmz'
list network 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list masq_dest '10.78.12.0/22'
list masq_src '10.78.88.0/22'

config zone
option name 'guest'
list network 'pcmn'
list network 'dakaka'
list network 'home'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'customs'
list network 'customs'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'

config forwarding
option src 'wan'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'guest'

config forwarding
option src 'lan'
option dest 'customs'

config forwarding
option src 'guest'
option dest 'wan'

config forwarding
option src 'customs'
option dest 'wan'

config forwarding
option src 'customs'
option dest 'customs'

config rule 'input_dns_dhcp'
option name 'input_dns_dhcp'
option src '*'
option proto 'tcpudp'
option dest_port '53 67:68'
option target 'ACCEPT'
option family 'ipv4'

config redirect 'redirect_dns_lan'
option name 'redirect_dns_lan'
option src 'lan'
option dest 'wan'
option proto 'tcpudp'
option src_dport '53'
option family 'ipv4'
option dest_ip '127.0.0.1'
option ipset '!dns_servers src'
option enabled '0'

config redirect 'redirect_dns_guest'
option name 'redirect_dns_guest'
option src 'guest'
option dest 'wan'
option proto 'tcpudp'
option src_dport '53'
option family 'ipv4'
option dest_ip '127.0.0.1'
option ipset '!dns_servers src'
option enabled '0'

config redirect 'redirect_dns_customs'
option name 'redirect_dns_customs'
option src 'customs'
option dest 'wan'
option proto 'tcpudp'
option src_dport '53'
option family 'ipv4'
option dest_ip '127.0.0.1'
option ipset '!dns_servers src'

my wan firewall config
root@wan0-qu:~# cat /etc/config/firewall

config include
option type 'nftables'
option path '/etc/acl/bin/user_pre_input.nft'
option position 'chain-pre'
option chain 'input'
option enabled '1'

config include
option type 'nftables'
option path '/etc/acl/bin/user_pre_forward.nft'
option position 'chain-pre'
option chain 'forward'
option enabled '1'

config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'def'
list network 'dmz'
list network 'lan'
list network 'wg0'
list network 'tun0'
list network 'tun1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list masq_dest '10.78.12.0/22'

config zone
option name 'wan'
list network 'wan1'
list network 'wan2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding 'lan_to_wan'
option src 'lan'
option dest 'wan'

config redirect 'redirect_ssh_lan'
option name 'redirect_ssh_lan'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8021'
option dest_port '8022'
option dest_ip '10.78.13.10'
option target 'DNAT'

config redirect 'redirect_ssh_host'
option name 'redirect_ssh_host'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8020'
option dest_port '8022'
option dest_ip '10.78.13.1'
option target 'DNAT'

config redirect 'redirect_pbx_sip'
option name 'redirect_pbx_sip'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '5063'
option family 'ipv4'
option dest_ip '10.78.16.54'

option target 'DNAT'

config redirect 'redirect_pbx_rtp'
option name 'redirect_pbx_rtp'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '10000:20000'
option dest_ip '10.78.16.54'
option family 'ipv4'

option target 'DNAT'

config redirect 'redirect_nvr_http'
option name 'redirect_nvr_http'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8888'
option dest_port '80'
option dest_ip '10.78.16.59'
option family 'ipv4'
option target 'DNAT'

config redirect 'redirect_nvr_rstp'
option name 'redirect_nvr_rstp'
option src 'wan'
option dest 'lan'
option proto 'tcpudp'
option src_dport '10554'
option dest_ip '10.78.16.59'
option family 'ipv4'
option target 'DNAT'

config redirect 'redirect_nvr_control'
option name 'redirect_nvr_control'
option src 'wan'
option dest 'lan'
option proto 'tcpudp'
option src_dport '8000'
option dest_ip '10.78.16.59'
option family 'ipv4'
option target 'DNAT'

plus a couple of nftable rules.

please can someone look at my config and see if there is something wrong.

my lan and wan routers are configured with bird routing daemon
while a separate routing table was created for this specific connection

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
     "kernel": "5.10.146",
        "hostname": "lan0-qu",
        "system": "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "x86/64",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option dns '127.0.0.1'
        option ipv6 '0'

config globals 'globals'
        option ula_prefix 'fdbb:b19c:a810::/48'

config interface 'def'
        option device 'eth0'
        option proto 'static'
        list ipaddr '10.78.13.10/24'
        option gateway '10.78.13.20'
        option metric '46'
        option ipv6 '0'

config interface 'dmz'
        option device 'eth1'
        option proto 'static'
        list ipaddr '10.78.14.10/24'
        option metric '40'
        option ipv6 '0'

config interface 'wan'
        option device 'eth2'
        option proto 'static'
        list ipaddr '10.78.15.10/24'
        option metric '42'
        option ipv6 '0'

config device 'br_lan'
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth3'
        list ports 'tap0'
        list ports 'tap1'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option device 'br-lan'
        list ipaddr '10.78.19.10/20'
        option metric '50'
        option ipv6 '0'

config interface 'dakaka'
        option proto 'static'
        list ipaddr '10.78.21.10/24'
        list dns_search 'dakaka.quicka'
        option ipv6 '0'
        option metric '52'
        option device 'eth4'

config interface 'pcmn'
        option proto 'static'
        list ipaddr '10.78.20.10/24'
        list dns_search 'pcmn.quicka'
        option ipv6 '0'
        option metric '54'
        option device 'eth5'

config interface 'home'
        option proto 'static'
        list ipaddr '10.78.22.10/24'
        list dns_search 'home.quicka'
        option ipv6 '0'
        option metric '56'
        option device 'eth6'

config interface 'customs'
        option proto 'static'
        option ip4table '446'
        list ipaddr '10.0.71.193/27'
        list ipaddr '10.0.70.49/29'
        option gateway '10.0.70.54'
        option metric '58'
        option ipv6 '0'
        option device 'eth7'

config rule 'customs_rule'
        option dest '10.0.0.0/16'
        option lookup '446'

config route 'customs_route'
        option interface 'customs'
        option target '10.0.0.0/16'
        option gateway '10.0.70.54'
        option table '446'
        option source '10.0.70.49'
        option onlink '1'

package dhcp

config dnsmasq
        option domainneeded '0'
        option boguspriv '0'
        option filterwin2k '1'
        option expandhosts '1'
        option nonegcache '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option confdir '/etc/dnsmasq.d,*.conf'
        option nonwildcard '0'
        option localservice '0'
        option localise_queries '1'
        option ednspacket_max '1232'
        option cachesize '150'
        option logqueries '0'
        option domain 'lan.quicka'
        option rebind_protection '1'
        option rebind_localhost '1'
        list rebind_domain '/quicka.local/'
        list rebind_domain '/dakaka.quicka/'
        list rebind_domain '/pcmn.quicka/'
        list rebind_domain '/twm.ncs.gov.ng/'
        list rebind_domain '/home.quicka/'
        list rebind_domain '/customs.quicka/'
        list rebind_domain '/lan.quicka/'
        list rebind_domain '/wan.quicka/'
        list rebind_domain '/78.10.in-addr.arpa/'
        list rebind_domain '/0.10.in-addr.arpa/'
        list server '/lan.quicka/'
        list server '/customs.quicka/'
        list server '/71.0.10.in-addr.arpa/'
        list server '/home.quicka/10.78.16.21'
        list server '/home.quicka/10.78.16.22'
        list server '/dakaka.quicka/10.78.16.21'
        list server '/dakaka.quicka/10.78.16.22'
        list server '/pcmn.quicka/10.78.16.21'
        list server '/pcmn.quicka/10.78.16.22'
        list server '/quicka.local/10.78.16.21'
        list server '/quicka.local/10.78.16.22'
        list server '/twm.ncs.gov.ng/10.0.10.11'
        list server '/78.10.in-addr.arpa/10.78.16.21'
        list server '/78.10.in-addr.arpa/10.78.16.22'
        list server '/wan.quicka/10.78.15.20'
        list server '/wan.quicka/10.78.14.20'
        list server '/wan.quicka/10.78.13.20'
        list server '10.78.15.20'
        list server '10.78.14.20'
        list server '10.78.13.20'
        option strictorder '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'customs'
        option interface 'customs'
        option ipv4 '1'
        option ipv6 '0'
        option start '7'
        option limit '23'
        option leasetime '12h'
        option networkid '10.0.71.192'
        option tag 'customs'
        list dhcp_option '6,10.0.10.11'
        list dhcp_option '15,customs.quicka'
        option ignore '0'

config relay 'pcmn'
        option interface 'lan'
        option local_addr '10.78.20.10'
        option server_addr '10.78.16.21'

config relay 'dakaka'
        option interface 'lan'
        option local_addr '10.78.21.10'
        option server_addr '10.78.16.21'

config relay 'home'
        option interface 'lan'
        option local_addr '10.78.22.10'
        option server_addr '10.78.16.21'

uci: Parse error (invalid command) at line 103, byte 1
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.13.10/24 brd 10.78.13.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.14.10/24 brd 10.78.14.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.15.10/24 brd 10.78.15.255 scope global eth2
       valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.21.10/24 brd 10.78.21.255 scope global eth4
       valid_lft forever preferred_lft forever
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.20.10/24 brd 10.78.20.255 scope global eth5
       valid_lft forever preferred_lft forever
8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.22.10/24 brd 10.78.22.255 scope global eth6
       valid_lft forever preferred_lft forever
9: eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.0.71.193/27 brd 10.0.71.223 scope global eth7
       valid_lft forever preferred_lft forever
    inet 10.0.70.49/29 brd 10.0.70.55 scope global eth7
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.78.19.10/20 brd 10.78.31.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 10.0.70.54 dev eth7 table 446 proto static metric 58
10.0.0.0/16 via 10.0.70.54 dev eth7 table 446 proto static src 10.0.70.49 metric 58 onlink
10.0.70.48/29 dev eth7 table 446 proto static scope link metric 58
10.0.71.192/27 dev eth7 table 446 proto static scope link metric 58
default via 10.78.14.20 dev eth1 proto bird metric 32
default via 10.78.13.20 dev eth0 proto static metric 46
10.78.13.0/24 dev eth0 proto static scope link metric 46
10.78.14.0/24 dev eth1 proto static scope link metric 40
10.78.15.0/24 dev eth2 proto static scope link metric 42
10.78.16.0/20 dev br-lan proto static scope link metric 50
10.78.20.0/24 dev eth5 proto static scope link metric 54
10.78.21.0/24 dev eth4 proto static scope link metric 52
10.78.22.0/24 dev eth6 proto static scope link metric 56
broadcast 10.0.70.48 dev eth7 table local proto kernel scope link src 10.0.70.49
local 10.0.70.49 dev eth7 table local proto kernel scope host src 10.0.70.49
broadcast 10.0.70.55 dev eth7 table local proto kernel scope link src 10.0.70.49
broadcast 10.0.71.192 dev eth7 table local proto kernel scope link src 10.0.71.193
local 10.0.71.193 dev eth7 table local proto kernel scope host src 10.0.71.193
broadcast 10.0.71.223 dev eth7 table local proto kernel scope link src 10.0.71.193
broadcast 10.78.13.0 dev eth0 table local proto kernel scope link src 10.78.13.10
local 10.78.13.10 dev eth0 table local proto kernel scope host src 10.78.13.10
broadcast 10.78.13.255 dev eth0 table local proto kernel scope link src 10.78.13.10
broadcast 10.78.14.0 dev eth1 table local proto kernel scope link src 10.78.14.10
local 10.78.14.10 dev eth1 table local proto kernel scope host src 10.78.14.10
broadcast 10.78.14.255 dev eth1 table local proto kernel scope link src 10.78.14.10
broadcast 10.78.15.0 dev eth2 table local proto kernel scope link src 10.78.15.10
local 10.78.15.10 dev eth2 table local proto kernel scope host src 10.78.15.10
broadcast 10.78.15.255 dev eth2 table local proto kernel scope link src 10.78.15.10
broadcast 10.78.16.0 dev br-lan table local proto kernel scope link src 10.78.19.10
local 10.78.19.10 dev br-lan table local proto kernel scope host src 10.78.19.10
broadcast 10.78.20.0 dev eth5 table local proto kernel scope link src 10.78.20.10
local 10.78.20.10 dev eth5 table local proto kernel scope host src 10.78.20.10
broadcast 10.78.20.255 dev eth5 table local proto kernel scope link src 10.78.20.10
broadcast 10.78.21.0 dev eth4 table local proto kernel scope link src 10.78.21.10
local 10.78.21.10 dev eth4 table local proto kernel scope host src 10.78.21.10
broadcast 10.78.21.255 dev eth4 table local proto kernel scope link src 10.78.21.10
broadcast 10.78.22.0 dev eth6 table local proto kernel scope link src 10.78.22.10
local 10.78.22.10 dev eth6 table local proto kernel scope host src 10.78.22.10
broadcast 10.78.22.255 dev eth6 table local proto kernel scope link src 10.78.22.10
broadcast 10.78.31.255 dev br-lan table local proto kernel scope link src 10.78.19.10
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0:      from all lookup local
1:      from all to 10.0.0.0/16 lookup 446
10000:  from 10.0.71.193 lookup 446
10000:  from 10.0.70.49 lookup 446
20000:  from all to 10.0.71.193/27 lookup 446
20000:  from all to 10.0.70.49/29 lookup 446
32766:  from all lookup main
32767:  from all lookup default
90009:  from all iif lo lookup 446

****this is the lan routers config**
**below is the wan routers config****

 "kernel": "5.10.146",
        "hostname": "wan0-qu",
        "system": "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "x86/64",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option dns '127.0.0.1'

config globals 'globals'
        option ula_prefix 'fdba:319c:a810::/48'

config interface 'def'
        option device 'eth0'
        option proto 'static'
        list ipaddr '10.78.13.20/24'
        option metric '56'
        option ipv6 '0'

config route 'rfc1918a'
        option interface 'def'
        option target '10.0.0.0/8'
        option gateway '10.78.13.10'

config route 'rfc1918b'
        option interface 'def'
        option target '172.16.0.0/12'
        option gateway '10.78.13.10'

config route 'rfc1918c'
        option interface 'def'
        option target '192.168.0.0/16'
        option gateway '10.78.13.10'

config interface 'dmz'
        option device 'eth1'
        option proto 'static'
        list ipaddr '10.78.14.20/24'
        option metric '52'
        option ipv6 '0'

config interface 'lan'
        option device 'eth2'
        option proto 'static'
        list ipaddr '10.78.15.20/24'
        option metric '50'
        option ipv6 '0'

config interface 'wan1'
        option device 'eth3'
        option proto 'static'
        list ipaddr ''public ip/29'
        list ipaddr 'public ip/29'
        option gateway 'public ip'
        option ipv6 '0'
        option metric '40'

config interface 'wan2'
        option device 'eth4'
        option proto 'dhcp'
        option ipv6 '0'
        option metric '42'

config interface 'tun0'
        option proto 'none'
        option defaultroute '0'
        option peerdns '0'
        option ipv6 '0'
        option device 'tun0'

config interface 'tun1'
        option proto 'none'
        option defaultroute '0'
        option peerdns '0'
        option ipv6 '0'
        option device 'tun1'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '8093'
        option private_key 'gBzTEXZp/ey6qhypCs+yb2l8Pd6DI8gXKk1S2AvBm20='
        list addresses '10.78.89.1/24'

config wireguard_wg0
        option description 'cap0'
        option public_key 'c0/ImoCZCi1Ew5kwBKymt8n1WChOsxhPdG+nDqIkMBY='
        option preshared_key 'bsexYVywy1/avuA324Nimes5NRtoCw87BeeZV9y5UTE='
        option route_allowed_ips '1'
        list allowed_ips '10.78.89.58/32'

package dhcp

config dnsmasq
        option domainneeded '0'
        option boguspriv '0'
        option filterwin2k '1'
        option localise_queries '0'
        option rebind_protection '0'
        option rebind_localhost '0'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '0'
        option localservice '0'
        option ednspacket_max '1232'
        option cachesize '1000'
        option logqueries '0'
        option allservers '1'
        option domain 'wan.domain'
        list server '/wan.domain/'
        list server '/lan.domain/10.78.15.10'
        list server '/lan.domain/10.78.14.10'
        list server '/lan.domain/10.78.13.10'
        list server '/home.domain/10.78.15.10'
        list server '/home.domain/10.78.14.10'
        list server '/home.domain/10.78.13.10'
        list server '/dakaka.domain/10.78.15.10'
        list server '/dakaka.domain/10.78.14.10'
        list server '/dakaka.domain/10.78.13.10'
        list server '/pcmn.domain/10.78.15.10'
        list server '/pcmn.domain/10.78.14.10'
        list server '/pcmn.domain/10.78.13.10'
        list server '/customs.domain/10.78.15.10'
        list server '/customs.domain/10.78.14.10'
        list server '/customs.domain/10.78.13.10'
        list server '/domain.local/10.78.15.10'
        list server '/domain.local/10.78.14.10'
        list server '/domain.local/10.78.13.10'
        list server '/78.10.in-addr.arpa/10.78.15.10'
        list server '/78.10.in-addr.arpa/10.78.14.10'
        list server '/78.10.in-addr.arpa/10.78.13.10'
        list server '64.6.64.6'
        list server '64.6.65.6'
        list server '8.8.8.8'
        list server '8.8.4.4'
        list server '208.67.222.222'
        list server '208.67.220.220'
        list server '80.80.80.80'
        list server '80.80.81.81'
        list notinterface 'wan1'
        list notinterface 'wan2'
        option confdir '/tmp/dnsmasq.d'

package firewall

config include
        option type 'nftables'
        option path '/etc/acl/bin/user_pre_input.nft'
        option position 'chain-pre'
        option chain 'input'
        option enabled '1'

config include
        option type 'nftables'
        option path '/etc/acl/bin/user_pre_forward.nft'
        option position 'chain-pre'
        option chain 'forward'
        option enabled '1'

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'def'
        list network 'dmz'
        list network 'lan'
        list network 'wg0'
        list network 'tun0'
        list network 'tun1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list masq_dest '10.78.12.0/22'

config zone
        option name 'wan'
        list network 'wan1'
        list network 'wan2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_to_wan'
        option src 'lan'
        option dest 'wan'

config redirect 'redirect_ssh_lan'
        option name 'redirect_ssh_lan'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8021'
        option dest_port '8022'
        option dest_ip '10.78.13.10'
        option target 'DNAT'

config redirect 'redirect_ssh_host'
        option name 'redirect_ssh_host'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8020'
        option dest_port '8022'
        option dest_ip '10.78.13.1'
        option target 'DNAT'

config redirect 'redirect_pbx_sip'
        option name 'redirect_pbx_sip'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '5063'
        option family 'ipv4'
        option dest_ip '10.78.16.54'

config redirect 'redirect_pbx_rtp'
        option name 'redirect_pbx_rtp'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '10000:20000'
        option dest_ip '10.78.16.54'
        option family 'ipv4'

config redirect 'redirect_nvr_http'
        option name 'redirect_nvr_http'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8888'
        option dest_port '80'
        option dest_ip '10.78.16.59'
        option family 'ipv4'
        option target 'DNAT'

config redirect 'redirect_nvr_rstp'
        option name 'redirect_nvr_rstp'
        option src 'wan'
        option dest 'lan'
        option proto 'tcpudp'
        option src_dport '10554'
        option dest_ip '10.78.16.59'
        option family 'ipv4'
        option target 'DNAT'

config redirect 'redirect_nvr_control'
        option name 'redirect_nvr_control'
        option src 'wan'
        option dest 'lan'
        option proto 'tcpudp'
        option src_dport '8000'
        option dest_ip '10.78.16.59'
        option family 'ipv4'
        option target 'DNAT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.13.20/24 brd 10.78.13.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.14.20/24 brd 10.78.14.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.78.15.20/24 brd 10.78.15.255 scope global eth2
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet public ip/29 brd public ip.223 scope global eth3
       valid_lft forever preferred_lft forever
    inet public ip/29 brd public ip.223 scope global secondary eth3
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.78.89.1/24 brd 10.78.89.255 scope global wg0
       valid_lft forever preferred_lft forever
18: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.78.91.1/24 scope global tun1
       valid_lft forever preferred_lft forever
19: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.78.90.1/24 scope global tun0
       valid_lft forever preferred_lft forever
default via public ip dev eth3 proto static metric 40
10.0.0.0/8 via 10.78.13.10 dev eth0 proto static metric 56
10.0.70.48/29 via 10.78.14.10 dev eth1 proto bird metric 32
10.0.71.192/27 via 10.78.14.10 dev eth1 proto bird metric 32
10.78.13.0/24 dev eth0 proto static scope link metric 56
10.78.14.0/24 dev eth1 proto static scope link metric 52
10.78.15.0/24 dev eth2 proto static scope link metric 50
10.78.16.0/20 via 10.78.14.10 dev eth1 proto bird metric 32
10.78.20.0/24 via 10.78.14.10 dev eth1 proto bird metric 32
10.78.21.0/24 via 10.78.14.10 dev eth1 proto bird metric 32
10.78.22.0/24 via 10.78.14.10 dev eth1 proto bird metric 32
10.78.89.0/24 dev wg0 proto kernel scope link src 10.78.89.1
10.78.89.58 dev wg0 proto static scope link
10.78.90.0/24 dev tun0 proto kernel scope link src 10.78.90.1
10.78.91.0/24 dev tun1 proto kernel scope link src 10.78.91.1
public ip/29 dev eth3 proto static scope link metric 40
172.16.0.0/12 via 10.78.13.10 dev eth0 proto static metric 56
192.168.0.0/16 via 10.78.13.10 dev eth0 proto static metric 56
broadcast 10.78.13.0 dev eth0 table local proto kernel scope link src 10.78.13.20
local 10.78.13.20 dev eth0 table local proto kernel scope host src 10.78.13.20
broadcast 10.78.13.255 dev eth0 table local proto kernel scope link src 10.78.13.20
broadcast 10.78.14.0 dev eth1 table local proto kernel scope link src 10.78.14.20
local 10.78.14.20 dev eth1 table local proto kernel scope host src 10.78.14.20
broadcast 10.78.14.255 dev eth1 table local proto kernel scope link src 10.78.14.20
broadcast 10.78.15.0 dev eth2 table local proto kernel scope link src 10.78.15.20
local 10.78.15.20 dev eth2 table local proto kernel scope host src 10.78.15.20
broadcast 10.78.15.255 dev eth2 table local proto kernel scope link src 10.78.15.20
broadcast 10.78.89.0 dev wg0 table local proto kernel scope link src 10.78.89.1
local 10.78.89.1 dev wg0 table local proto kernel scope host src 10.78.89.1
broadcast 10.78.89.255 dev wg0 table local proto kernel scope link src 10.78.89.1
broadcast 10.78.90.0 dev tun0 table local proto kernel scope link src 10.78.90.1
local 10.78.90.1 dev tun0 table local proto kernel scope host src 10.78.90.1
broadcast 10.78.90.255 dev tun0 table local proto kernel scope link src 10.78.90.1
broadcast 10.78.91.0 dev tun1 table local proto kernel scope link src 10.78.91.1
local 10.78.91.1 dev tun1 table local proto kernel scope host src 10.78.91.1
broadcast 10.78.91.255 dev tun1 table local proto kernel scope link src 10.78.91.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast public ip dev eth3 table local proto kernel scope link src public ip
local public ip dev eth3 table local proto kernel scope host src public ip
local public ip dev eth3 table local proto kernel scope host src public ip

The last command with IP rules is missing.

what last command

ip -4 ru from wan router.
Also on the lan router, there is typo in the firewall configuration:
uci: Parse error (invalid command) at line 103, byte 1