Third VLAN not working

Hi,
i have two devices setup with OpenWRT 21.02:
Cudy AC2100 and Linksys WRT3200ACM

The WRT3200ACM ist the "Main Router" and the "Cudy AC2100" ist just an dumb AP (fw/dhcp/... turned off).
They are connected via one network cable wit three VLANs tagged on both sides:
VLAN 1: 192.168.111.0/24 - normal Network traffic routet over main wan
VLAN 41: 192.168.1.0/24 - guests (with custom routing table and openvpn interface as "wan")
VLAN 45: 192.168.2.0/24 - iot network traffic routet over main wan
(and VLAN 7 on wan interface to the fiber modem)
IPv6 is disabled on IOT and GUEST Network.

VLAN 1 and 41 are working fine, 45 not. Ping over VLAN 45 is not possible and RX bytes are always at '0' on the 'br-lan.45' interface of the Cudy device. On the Main-Router the IOT-network is working fine, but it also can't ping the Dumb-AP over VLAN. I did all the setup over LuCI, verified the network config and can't find any mistakes. On both devices all LAN-interfaces are bridged together.

Did I make a mistake somewhere? Between both routers is a Netgear GS108Ev3 Managed Switch, but it is configured to pass all VLAN-IDs.

VLAN-Setup in LuCI (Main-Router Linksys):

grafik899×504 17.1 KB

VLAN-Setup in LuCI (Dumb-AP Cudy):

grafik905×507 21.2 KB

Main Router /etc/config/network: (Don't bother with those routes, they are for 'hamnet')

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd67:1139:6471::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.111.1'
	option device 'br-lan.1'
	option ip6assign '64'

config device
	option name 'wan'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '7'
	option name 'wan.7'

config interface 'WAN'
	option proto 'pppoe'
	option device 'wan.7'
	option username 'XXXXXXXXXXXXXXXXX'
	option password 'XXXXXXXXXXXXXXXXX'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '45'
	list ports 'lan4:t'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip4table 'guest'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.45'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config route
	option interface 'lan'
	option target '44.0.0.0'
	option netmask '255.128.0.0'
	option gateway '192.168.111.250'

config route
	option interface 'lan'
	option target '44.128.0.0'
	option netmask '255.192.0.0'
	option gateway '192.168.111.250'

config route
	option interface 'lan'
	option target '44.224.0.0'
	option netmask '255.254.0.0'
	option gateway '192.168.111.250'

config route
	option target '44.225.64.0'
	option netmask '255.255.255.0'
	option gateway '192.168.111.250'
	option interface 'lan'

config interface 'ipvanish'
	option proto 'none'
	option device 'tun0'
	option auto '0'
	option peerdns '0'
	list dns '198.18.0.1'
	list dns '198.18.0.2'
	option ip4table 'guest'
	option delegate '0'

config device
	option name 'br-lan.41'
	option type '8021q'
	option ifname 'br-lan'
	option vid '41'
	option ipv6 '0'

config device
	option name 'br-lan.45'
	option type '8021q'
	option ifname 'br-lan'
	option vid '45'
	option ipv6 '0'

Dumb-AP /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd67:1139:6471::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.111.2'
	option gateway '192.168.111.1'
	list dns '192.168.111.1'
	option ip6ifaceid '::2'
	option device 'br-lan.1'
	option ip6assign '64'

config interface 'GUEST'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option defaultroute '0'
	option delegate '0'
	option type 'bridge'
	option device 'br-lan.41'

config interface 'IOT'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	option defaultroute '0'
	option delegate '0'
	option type 'bridge'
	option device 'br-lan.45'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '45'
	list ports 'lan1:t'

config device
	option name 'br-lan.41'
	option type '8021q'
	option ifname 'br-lan'
	option vid '41'
	option ipv6 '0'

config device
	option name 'br-lan.45'
	option type '8021q'
	option ifname 'br-lan'
	option vid '45'
	option ipv6 '0'

Main-Router /etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'


config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'GUEST'
	option family 'ipv4'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	list network 'IOT'
	option family 'ipv4'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option output 'ACCEPT'
	option name 'ipvanish'
	list network 'ipvanish'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'guest'
	option dest 'ipvanish'

config forwarding
	option src 'iot'
	option dest 'wan'

Thanks in advance for any help!

I don't know if it can help

you can try to set Iot interface in dhcp to dump-ap

On the dumbAP change the protocol of the guest and iot interfaces to unmanaged. The dumbAP is not routing, hence it should not have multiple IPs. Only one IP for the management is enough.

OK, I can set it to unmanaged, when everything ist working. For now I think it is good to have an IP for each network to test if it's working.
Maybe I forgot to mention, that the whole VLAN 45 connection isn't working. All three VLAN-IDs have their own wifi-ap on the Dumb-AP. Clients on wifi network with ID 1 and 41 are working, on 45 not. Each wifi ap is configured with "option network" pointing to its network (lan, IOT, GUEST).

I tried to enable DHCP Client for GUEST and IOT interfaces. GUEST is getting an IP, IOT not.

There isn't much to work. You are making things complicated as you'll have asymmetric routing.

Now guest and iot are unmanaged, iot network is still not working (wifi clients connecting via dumb-ap iot network don't get an IP from dhcp). Maybe one of my devices doesn't support more than two VLANs on one port?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

On both main router and dumbAp.

Main-Router:

{
	"kernel": "5.4.179",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd67:1139:6471::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.111.1'
	option device 'br-lan.1'
	option ip6assign '64'

config device
	option name 'wan'
	option macaddr 'XXXXXXXXXX'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '7'
	option name 'wan.7'

config interface 'WAN'
	option proto 'pppoe'
	option device 'wan.7'
	option username 'XXXXXXXXXX'
	option password 'XXXXXXXXXX'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '45'
	list ports 'lan4:t'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip4table 'guest'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.45'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config route
	option interface 'lan'
	option target '44.0.0.0'
	option netmask '255.128.0.0'
	option gateway '192.168.111.250'

config route
	option interface 'lan'
	option target '44.128.0.0'
	option netmask '255.192.0.0'
	option gateway '192.168.111.250'

config route
	option interface 'lan'
	option target '44.224.0.0'
	option netmask '255.254.0.0'
	option gateway '192.168.111.250'

config route
	option target '44.225.64.0'
	option netmask '255.255.255.0'
	option gateway '192.168.111.250'
	option interface 'lan'

config interface 'ipvanish'
	option proto 'none'
	option device 'tun0'
	option auto '0'
	option peerdns '0'
	list dns '198.18.0.1'
	list dns '198.18.0.2'
	option ip4table 'guest'
	option delegate '0'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXX'
	option listen_port '5588'
	list addresses '192.168.112.1/24'
	option defaultroute '0'
	option ip6assign '64'
	option ip6hint '10'

config wireguard_WireGuard
	option description 'Pixel'
	option public_key 'XXXXXXXXXX'
	option route_allowed_ips '1'
	list allowed_ips '192.168.112.2/32'
	list allowed_ips 'XXXXXXXXXX'

config wireguard_WireGuard
	option description 'Reiserouter'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.3/32'
	option route_allowed_ips '1'

config wireguard_WireGuard
	option description 'micha'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.4/32'
	option route_allowed_ips '1'

config wireguard_WireGuard
	option description 'gaby'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.5/32'
	option route_allowed_ips '1'

config wireguard_WireGuard
	option description 'julian'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.6/32'
	option route_allowed_ips '1'

config wireguard_WireGuard
	option description 'MichaTablet'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.8/32'
	option route_allowed_ips '1'

config device
	option name 'br-lan.41'
	option type '8021q'
	option ifname 'br-lan'
	option vid '41'
	option ipv6 '0'

config device
	option name 'br-lan.45'
	option type '8021q'
	option ifname 'br-lan'
	option vid '45'
	option ipv6 '0'

config wireguard_WireGuard
	option description 'Julian IPAD'
	option public_key 'XXXXXXXXXX'
	list allowed_ips '192.168.112.9/32'
	option route_allowed_ips '1'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'
	option country 'FR'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option txpower '17'
	option channel 'auto'
	option country 'DE'
	option legacy_rates '1'
	option cell_density '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option band '2g'
	option channel '4'
	option cell_density '0'
	option txpower '14'
	option htmode 'HT20'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TheInternet_IOT'
	option encryption 'psk2'
	option disassoc_low_ack '0'
	option key 'XXXXXXXXXX'
	option network 'IOT'
	option wmm '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TheInternet_Guests'
	option encryption 'psk2'
	option isolate '1'
	option key 'XXXXXXXXXX'
	option network 'GUEST'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list server '/ampr.org/44.149.65.129'
	list server '127.0.0.1#5054'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list doh_backup_server '/ampr.org/44.149.65.129'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,198.18.0.1,198.18.0.2'
	list ra_flags 'none'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config host
	option name 'home'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.219'
	option leasetime 'infinite'
	option duid 'XXXXXXXXXX'
	option hostid '219'

config host
	option name 'hamserver-pi'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.134'
	option leasetime 'infinite'

config host
	option name 'TreppenhausCAM'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.30'
	option leasetime 'infinite'

config host
	option name 'DanielsCAM'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.31'
	option leasetime 'infinite'

config host
	option name 'HaustuerCAM'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.32'
	option leasetime 'infinite'

config host
	option name 'gameserver'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.50'
	option leasetime 'infinite'

config host
	option name 'shelly1-8CAAB505D0C9'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.2.22'
	option leasetime 'infinite'

config host
	option name 'shellydimmer-D0AF5A'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.2.21'
	option leasetime 'infinite'

config host
	option name 'EPSONB26306'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.25'
	option leasetime 'infinite'

config host
	option name 'TEAMSOFA'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.24'
	option leasetime 'infinite'
	option duid 'XXXXXXXXXX'
	option hostid '24'

config host
	option name 'Tuya-Steckdose1'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.2.20'
	option leasetime 'infinite'

config host
	option name 'pi-star-dual'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.27'
	option leasetime 'infinite'

config host
	option name 'web'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.10'
	option leasetime 'infinite'
	option duid 'XXXXXXXXXX'
	option hostid '10'

config host
	option name 'DO1DAS-m5'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.250'
	option leasetime 'infinite'

config host
	option name 'freepbx'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.111'
	option leasetime 'infinite'

config host
	option name 'doorpi'
	option dns '1'
	option mac 'XXXXXXXXXX'
	option ip '192.168.111.40'
	option leasetime 'infinite'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireGuard'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'AllowWireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '5588'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'GUEST'
	option family 'ipv4'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	list network 'IOT'
	option family 'ipv4'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option output 'ACCEPT'
	option name 'ipvanish'
	list network 'ipvanish'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	option input 'DROP'
	option forward 'DROP'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.111.10'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.111.10'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ts3-speech'
	list proto 'udp'
	option src 'wan'
	option src_dport '9987'
	option dest_ip '192.168.111.219'
	option dest_port '9987'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ts3-file'
	list proto 'tcp'
	option src 'wan'
	option src_dport '30033'
	option dest_ip '192.168.111.219'
	option dest_port '30033'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ts3-query'
	list proto 'tcp'
	option src 'wan'
	option src_dport '10011'
	option dest_ip '192.168.111.219'
	option dest_port '10011'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'valheim'
	option src 'wan'
	option src_dport '2456-2458'
	option dest_ip '192.168.111.219'
	option dest_port '2456-2458'

config forwarding
	option src 'guest'
	option dest 'ipvanish'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'http-v6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	option dest_port '80'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::10/-64'

config rule
	option name 'https-v6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	option dest_port '443'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::10/-64'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.111.24'
	option dest_port '32400'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Priv Torrent'
	option src 'wan'
	option src_dport '51337'
	option dest_ip '192.168.111.24'
	option dest_port '51337'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Torrent Tracker'
	list proto 'tcp'
	option src 'wan'
	option src_dport '9000'
	option dest_ip '192.168.111.24'
	option dest_port '9000'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wguard-hamnet'
	list proto 'udp'
	option src 'wan'
	option src_dport '51822'
	option dest_ip '192.168.111.134'
	option dest_port '51822'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Minecraft'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25565'
	option dest_ip '192.168.111.219'
	option dest_port '25565'

config rule
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	option dest_port '25565'
	option target 'ACCEPT'
	option name 'Minecraft-v6'
	list dest_ip '::219/-64'

config rule
	option name 'valheim-v6'
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	option dest_port '2456-2458'
	option target 'ACCEPT'
	list dest_ip '::219/-64'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Satisfactory Query'
	list proto 'udp'
	option src 'wan'
	option src_dport '15777'
	option dest_ip '192.168.111.219'
	option dest_port '15777'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'satisfactory Beacon'
	list proto 'udp'
	option src 'wan'
	option src_dport '15000'
	option dest_ip '192.168.111.219'
	option dest_port '15000'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Satisfactory Game'
	list proto 'udp'
	option src 'wan'
	option src_dport '7777'
	option dest_ip '192.168.111.219'
	option dest_port '7777'

config rule
	option name 'satisfactory Query v6'
	option family 'ipv6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '15777'
	option target 'ACCEPT'
	list dest_ip '::219/-64'

config rule
	option name 'satisfactory Beacon v6'
	option family 'ipv6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '15000'
	option target 'ACCEPT'
	list dest_ip '::219/-64'

config rule
	option name 'Satisfactory Game v6'
	option family 'ipv6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '7777'
	option target 'ACCEPT'
	list dest_ip '::219/-64'

config rule
	option name 'TS3 Speech v6'
	option family 'ipv6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '::219/-64'
	option dest_port '9987'
	option target 'ACCEPT'

config rule
	option name 'TS3 file v6'
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '::219/-64'
	option dest_port '30033'
	option target 'ACCEPT'

config rule
	option name 'TS3 query v6'
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '::219/-64'
	option dest_port '10011'
	option target 'ACCEPT'

config rule
	option name 'Plex v6'
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '::24/-64'
	option dest_port '32400'
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.111.1/24 brd 192.168.111.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
13: br-lan.41@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan.41
       valid_lft forever preferred_lft forever
14: br-lan.45@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan.45
       valid_lft forever preferred_lft forever
16: WireGuard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.112.1/24 brd 192.168.112.255 scope global WireGuard
       valid_lft forever preferred_lft forever
18: pppoe-WAN: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet XXXXXXXXXX peer XXXXXXXXXX/32 scope global pppoe-WAN
       valid_lft forever preferred_lft forever
19: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet XXXXXXXXXX/23 scope global tun0
       valid_lft forever preferred_lft forever
default via XXXXXXXXXX dev tun0 table guest 
192.168.1.0/24 dev br-lan.41 table guest scope link 
default via XXXXXXXXXX dev pppoe-WAN 
44.0.0.0/9 via 192.168.111.250 dev br-lan.1 
44.128.0.0/10 via 192.168.111.250 dev br-lan.1 
44.224.0.0/15 via 192.168.111.250 dev br-lan.1 
44.225.64.0/24 via 192.168.111.250 dev br-lan.1 
XXXXXXXXXX dev pppoe-WAN scope link  src XXXXXXXXXX 
XXXXXXXXXX/23 dev tun0 scope link  src XXXXXXXXXX 
192.168.2.0/24 dev br-lan.45 scope link  src 192.168.2.1 
192.168.111.0/24 dev br-lan.1 scope link  src 192.168.111.1 
192.168.112.0/24 dev WireGuard scope link  src 192.168.112.1 
192.168.112.2 dev WireGuard scope link 
192.168.112.3 dev WireGuard scope link 
192.168.112.4 dev WireGuard scope link 
192.168.112.5 dev WireGuard scope link 
192.168.112.6 dev WireGuard scope link 
192.168.112.8 dev WireGuard scope link 
192.168.112.9 dev WireGuard scope link 
local XXXXXXXXXX dev pppoe-WAN table local scope host  src XXXXXXXXXX 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast XXXXXXXXXX dev tun0 table local scope link  src XXXXXXXXXX 
local XXXXXXXXXX dev tun0 table local scope host  src XXXXXXXXXX 
broadcast XXXXXXXXXX dev tun0 table local scope link  src XXXXXXXXXX 
broadcast 192.168.1.0 dev br-lan.41 table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan.41 table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan.41 table local scope link  src 192.168.1.1 
broadcast 192.168.2.0 dev br-lan.45 table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan.45 table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan.45 table local scope link  src 192.168.2.1 
broadcast 192.168.111.0 dev br-lan.1 table local scope link  src 192.168.111.1 
local 192.168.111.1 dev br-lan.1 table local scope host  src 192.168.111.1 
broadcast 192.168.111.255 dev br-lan.1 table local scope link  src 192.168.111.1 
broadcast 192.168.112.0 dev WireGuard table local scope link  src 192.168.112.1 
local 192.168.112.1 dev WireGuard table local scope host  src 192.168.112.1 
broadcast 192.168.112.255 dev WireGuard table local scope link  src 192.168.112.1 
0:	from all lookup local 
9999:	from all iif br-lan.41 lookup guest 
10000:	from 192.168.1.1 lookup guest 
20000:	from all to 192.168.1.1/24 lookup guest 
32766:	from all lookup main 
32767:	from all lookup default 
90013:	from all iif lo lookup guest 
lrwxrwxrwx    1 root     root            16 Feb 16 21:29 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Mar 16 01:57 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root           136 Mar 16 02:07 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            54 Mar 16 01:58 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           136 Mar 16 02:07 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface WAN
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001
# Interface WAN_6

==> /tmp/resolv.conf <==
# Interface WAN
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001
# Interface WAN_6

==> /tmp/resolv.conf.d <==

==> /tmp/resolv.conf.ppp <==
nameserver 217.237.150.205
nameserver 217.237.149.142

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface WAN
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001
# Interface WAN_6

Dumb-AP:

{
	"kernel": "5.4.179",
	"hostname": "OpenWrtCudy",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR2100",
	"board_name": "cudy,wr2100",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ramips/mt7621",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd67:1139:6471::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.111.2'
	option gateway '192.168.111.1'
	list dns '192.168.111.1'
	option ip6ifaceid '::2'
	option device 'br-lan.1'
	option ip6assign '64'

config interface 'GUEST'
	option type 'bridge'
	option device 'br-lan.41'
	option proto 'none'
	option defaultroute '0'

config interface 'IOT'
	option type 'bridge'
	option device 'br-lan.45'
	option proto 'none'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '45'
	list ports 'lan1:t'

config device
	option name 'br-lan.41'
	option type '8021q'
	option ifname 'br-lan'
	option vid '41'
	option ipv6 '0'

config device
	option name 'br-lan.45'
	option type '8021q'
	option ifname 'br-lan'
	option vid '45'
	option ipv6 '0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TheInternet_Guests'
	option encryption 'psk2'
	option isolate '1'
	option key 'XXXXXXXXXX'
	option network 'GUEST'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TheInternet_IOT'
	option encryption 'psk2'
	option key 'XXXXXXXXXX'
	option network 'IOT'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.111.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.111.2/24 brd 192.168.111.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
default via 192.168.111.1 dev br-lan.1 
192.168.111.0/24 dev br-lan.1 scope link  src 192.168.111.2 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.111.0 dev br-lan.1 table local scope link  src 192.168.111.2 
local 192.168.111.2 dev br-lan.1 table local scope host  src 192.168.111.2 
broadcast 192.168.111.255 dev br-lan.1 table local scope link  src 192.168.111.2 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 16 21:29 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Mar 15 22:58 /tmp/resolv.conf
-rw-r--r--    1 root     root            41 Mar 15 22:58 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            41 Mar 15 22:58 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.111.1

head: /tmp/resolv.conf.d: I/O error

routes executed by openvpn on Main-Router:

#!/usr/bin/env sh

table=guest

if [ "$script_type" == "route-up" ]; then
  ip route add default via $route_vpn_gateway dev $dev table $table proto static
  #ip route add 0.0.0.0/0 via $route_vpn_gateway dev $dev proto static
elif [ "$script_type" == "route-pre-down" ]; then
  ip route del default via $route_vpn_gateway dev $dev table $table proto static
  #ip route del 0.0.0.0/0 via $route_vpn_gateway dev $dev proto static
fi

Main-Router /etc/hotplug.d/iface/99-guest:

#!/usr/bin/env sh

if=GUEST

dev=$DEVICE
table=guest

if2dev() {
  dev=$(uci get network.$1.ifname)
  [ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
  echo $dev
}

if [ "$INTERFACE" == "$if" ]; then
  if [ "$ACTION" == "ifup" ]; then
    ip rule add iif $dev lookup $table
  elif [ "$ACTION" == "ifdown" ]; then
    # Workaround for missing $DEVICE when interface is going down
    dev=$(if2dev $if)
    ip rule del iif $dev lookup $table
  fi
fi

I think I maybe hit a similar issue, can't get VLANs up correctly and I also see "RX 0" on the related interfaces. I don't want to hijack this thread at all, just subscribing in a way (yes, clicked that button also, but also wanted to add that "me too" here.

Did you make progress already?

EDIT:

may I add my network config for comparison? As you see, I am trying several things:

cat /etc/config/network 

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'

config device 'device1'
	option name 'mainbridge'
	list ports 'eth0'
	option type 'bridge'
	option macaddr '0e:f1:05:e4:1d:80'
	option ipv6 '0'
	option mtu '1492'

config bridge-vlan 'bridge_vlan2'
	option device 'mainbridge'
	list ports 'eth0:u*'
	option vlan '1'

config interface 'ifdhcp'
	option proto 'dhcp'
	option device 'mainbridge.1'

config bridge-vlan 'bridge_vlan1'
	option device 'mainbridge'
	list ports 'eth0:t'
	option vlan '11'

config device
	option name 'eth0'
	option macaddr '0e:f1:05:e4:1d:80'

config interface 'TestVLAN11'
	option proto 'dhcp'
	option device 'mainbridge.11'

config bridge-vlan
	option device 'mainbridge'
	option vlan '12'
	list ports 'eth0:t'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '12'
	option name 'eth0.12'

config interface 'vlan12'
	option proto 'dhcp'
	option device 'eth0.12'

EDIT 2: decided to open a new thread at D-Link DAP 2610: first steps with VLANs

This rule is not correct, it should be either 192.168.1.0/24 or .1/32

This is not the case. You can have many vlans on a trunk port.

Configuration looks good to me. Verify with packet capture that you can see the packets going out of the dumbAP: opkg update; opkg install tcpdump; tcpdump -i br-lan.45 -evn then try to connect a host in iot.
On the main router check the firewall for hits on the iot iptables-save -c and run the same capture.
Are the 2 devices connected directly by cable or is there any switch or powerline between them?

There is a managed switch between both devices:

I get loads of these dhcp request, nothing else:

17:10:16.072943 XX:XX:XX:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: (tos 0x0, ttl 255, id 3479, offset 0, flags [none], proto UDP (17), length 336)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from XX:XX:XX:XX:XX:XX, length 308, xid 0x2accd172, Flags [none]
	  Client-Ethernet-Address XX:XX:XX:XX:XX:XX
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    MSZ Option 57, length 2: 1500
	    Parameter-Request Option 55, length 4: 
	      Subnet-Mask, Default-Gateway, BR, Domain-Name-Server

First I disabled iot-wifi on main-router to ensure no counter increase from clients connected to main router. After that all clients tried to connect to the dumb-ap but counters in iptables-save -c | grep iot stayed the same. They started increasing again after I reenabled the wifi on main-router.

Is that managed switch configured properly? I'd look there first.

Pro tip: work from the main router at the root, then work out from there.

Assign one of the main router's ports to the each of the VLANs (either one port in turn, or 1 port for each vlan) configured as an access port (i.e. just the one VLAN untagged on the port). Then plug a device into the port(s) to verify that they get an address on the desired network via DHCP and have the desired connectivity.

Then, once that is proven, use your trunk port connected to your managed switch and verify that the switch is configured properly. To this end, do the same thing with one (or multiple) switch port(s) -- configuring access ports such that you can test that the trunk and the managed switch is configured properly.

Finally, make sure that the managed switch has a trunk configured for the connection to the second OpenWrt device (likely identical to the trunk to the main router), and then repeat the process of assigning access ports on that second OpenWrt device.

... i checked its configuration about 10 times. VLAN 1 and 41 worked fine so I thought the configuration must be ok... now I checked once again and just switched its settings to 'advanced mode' and configured each VLAN-ID instead of passing all... now everything is working fine

It's really a shame... I wasted so much of your and my time . Big THANK YOU!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.