I didn't mean to hurt you
I'm sorry that I made you cry
Oh now, I didn't want to hurt you
I'm just a jealous guy 
Thanks for trying to help. Here is the current config:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "ASUS RT-AC88U",
"board_name": "asus,rt-ac88u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "bcm53xx/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd03:34c0:83e8::/48'
option packet_steering '1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-trusted'
list ports 'lan1'
list ports 'lan2'
option mtu '1500'
option macaddr 'XX:XX:XX:XX:XX:XX'
option txqueuelen '1000'
option mtu6 '1500'
config interface 'trusted_lan'
option proto 'static'
option device 'br-trusted'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-iot'
list ports 'extsw'
list ports 'lan3'
list ports 'lan4'
option mtu '1500'
option txqueuelen '1000'
option mtu6 '1500'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'iot_lan'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'trusted_lan'
option interface 'trusted_lan'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'iot_lan'
option interface 'iot_lan'
option start '2'
option limit '50'
option leasetime '12h'
config host
option name 'Optiplex'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.100'
config host
option name 'hp-x360'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.13'
config host
option name 'PC-Val'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.19'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'trusted_zone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'trusted_lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'trusted_zone'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'trusted_zone'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'trusted_zone'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'iot-LAN-DHCP'
list proto 'udp'
option src 'iot_zone'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'iot-LAN-DNS'
option src 'iot_zone'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'iot_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot_lan'
config forwarding
option src 'iot_zone'
option dest 'wan'