VLANs and Second AP with LAN Ports

Hey all!

I'm fairly new to OpenWRT. I bought two routers.. the GL iNet Flint and Flint 2. I have my Flint two as my main router and the original Flint as a dumb AP in my living room connected via a long ethernet cable.

I am starting to get into network segregation as a self learning/homelab experiment. I have VLANs setup on my main router and they seem to work fine. However, I am having trouble passing them to my AP.

My VLANS so far are:
90 - Guest
98 - Service
99 - LAN

On my router, I have port 5 tagged for all VLANs. I then run the ethernet cable to the WAN port on the AP. Then I tagged all VLANs on the AP's WAN port and untagged all other LAN ports for VLAN 99 (the LAN VLAN on my router). I am able to access the APs GUI and can ping it from my router but when I plug into one of the LAN ports on the AP, I get an IP.. subnet.. DNS.. all is good but it refuses to talk to anything besides the AP.. I can't access my router via IP or any websites for that matter but I can access the APs GUI. I made sure DHCP, DNS, and the firewall were all disabled on the AP.

It is literally driving me insane and I know I'm probably making some silly mistake but cannot figure it out for the life of me. See below for screenshots (I had to use Dropbox links due to the image embed limit for new users).


Here are some Luci configuration screenshots from my router:
https://www.dropbox.com/scl/fo/k4jmn1tmk9vf8yzrhejy5/AHp1Ccg86tPuJFo3t61z2Xw?rlkey=tt6huicyy384up52y9m2z9zig&dl=0


Here are some Luci configuration screenshots from my AP:
https://www.dropbox.com/scl/fo/k4jmn1tmk9vf8yzrhejy5/AHp1Ccg86tPuJFo3t61z2Xw?rlkey=tt6huicyy384up52y9m2z9zig&dl=0


Any help is greatly appreciated! I know it may be simple to some but networking is my weakness so I am trying to improve my skills.

Instead of your dropbox links, please provide your configs as like this:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Router configs:

"kernel": "5.4.238",
        "hostname": "HendersonStreet",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r15812+1071-46b6ee7ffc",
                "target": "mediatek/mt7986",
                "description": "OpenWrt 21.02-SNAPSHOT r15812+1071-46b6ee7ffc"
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb1:ea4b:af7a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option igmp_snooping '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr '94:83:c4:a2:97:5e'

config device
        option name 'lan2'
        option macaddr '94:83:c4:a2:97:5e'

config device
        option name 'lan3'
        option macaddr '94:83:c4:a2:97:5e'

config device
        option name 'lan4'
        option macaddr '94:83:c4:a2:97:5e'

config device
        option name 'lan5'
        option macaddr '94:83:c4:a2:97:5e'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.0.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        list dns '10.0.0.3'
        list dns_search 'lan1'
        list dns_search 'lan2'
        list dns_search 'taile34ed.ts.net'
        option device 'br-lan-v99'

config device
        option name 'eth1'
        option macaddr '94:83:c4:a2:97:5c'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option ipv6 '0'
        option metric '10'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option peerdns '0'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option isolate '0'
        option bridge_empty '1'
        option ipaddr '10.1.0.2'
        option igmp_snooping '1'
        option disabled '0'
        option device 'br-guest2-v90'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

config interface 'secondwan'
        option ipv6 '0'
        option proto 'dhcp'
        option metric '15'
        option force_link '0'

config interface 'secondwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option metric '15'
        option device '@secondwan'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config interface 'wgserver'
        option proto 'wgserver'
        option config 'main_server'
        option disabled '1'

config interface 'wgclient'
        option proto 'wgclient'
        option config 'peer_2001'
        option disabled '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '98'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan5:t'

config interface 'SERVICE'
        option device 'br-lan.98'
        option proto 'static'
        option ipaddr '10.0.2.2'
        option netmask '255.255.255.0'

config device
        list ports 'br-lan.99'
        option type 'bridge'
        option name 'br-lan-v99'
        option vlan_filtering '1'

config device
        option type 'bridge'
        option name 'br-guest2-v90'
        list ports 'br-lan.90'

config bridge-vlan
        option device 'br-lan'
        option vlan '90'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'lan5:t'
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option local '/lan1/'
        list server '127.0.0.1#5453'
        option noresolv '1'
        option localuse '1'
        option domain 'lan1'

config dhcp 'lan'
        option interface 'lan'
        option start '4'
        option limit '246'
        option leasetime '720m'
        option dhcpv4 'server'
        option force '1'
        list dhcp_option '6,10.0.0.3'
        list dhcp_option '119,lan1,lan2,taile34ed.ts.net'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option ip '10.0.0.2'
        option name 'HendersonStreet'

config domain
        option ip '::ffff:10.0.0.2'
        option name 'HendersonStreet'

config dhcp 'guest'
        option interface 'guest'
        option start '3'
        option limit '247'
        option leasetime '720m'
        list dhcp_option '6,8.8.8.8,1.1.1.1'
        list ra_flags 'none'

config dhcp 'secondwan'
        option interface 'secondwan'
        option ignore '1'

config host
        option mac '50:9A:4C:9E:56:61'
        option ip '10.0.0.93'
        option tag 'idrac'

config host
        option mac '80:56:F2:19:DE:3B'
        option ip '10.0.0.184'
        option tag 'HP-PRINTER'

config host
        option mac 'C0:74:AD:14:9A:29'
        option ip '10.0.0.84'
        option tag 'Grandstream ATA'

config host
        option mac '50:9A:4C:9E:56:5F'
        option ip '10.0.0.92'
        option tag 'Morty'

config host
        option mac '02:42:0A:00:00:6F'
        option ip '10.0.0.111'
        option tag 'TimeMachine'

config host
        option mac '6C:02:E0:42:02:37'
        option ip '10.0.0.5'
        option tag 'Desktop3'
        option name 'desktop3'
        option dns '1'

config host
        option mac '94:83:C4:42:30:B7'
        option ip '10.0.0.85'
        option tag 'HendersonStreetLR'

config dhcp 'SERVICE'
        option leasetime '12h'
        option limit '150'
        option interface 'SERVICE'
        list dhcp_option '6,10.0.0.2'
        option start '4'
        list ra_flags 'none'
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'SERVICE'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'secondwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-*'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config zone 'tailscale0'
        option name 'tailscale0'
        option input 'ACCEPT'
        list device 'tailscale0'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding 'lan_tailscale'
        option src 'lan'
        option dest 'tailscale0'

config forwarding 'tailscale_lan'
        option src 'tailscale0'
        option dest 'lan'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config redirect
        option enabled '1'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.0.0.92'
        option dest_port '443'
        option src 'wan'
        option name 'GL-HTTPS'
        option dest 'lan'

config redirect
        option enabled '1'
        option src_dport '80'
        option dest_ip '10.0.0.92'
        option dest_port '80'
        option src 'wan'
        option name 'GL-HTTP'
        option dest 'lan'
        option proto 'tcp'

config forwarding 'wgserver2wgclient'
        option src 'wgserver'
        option dest 'wgclient'
        option enabled '0'

config forwarding 'wgserver2ovpnclient'
        option src 'wgserver'
        option dest 'ovpnclient'
        option enabled '0'

config rule 'wgserver_allow'
        option name 'wgserver_allow'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp tcp'
        option family 'ipv4'
        option dest_port '51820'
        option enabled '0'

config zone 'wgserver'
        option name 'wgserver'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option masq6 '0'
        option enabled '0'
        list network 'wgserver'
        option forward 'REJECT'

config forwarding 'wgserver2wan'
        option src 'wgserver'
        option dest 'wan'
        option enabled '0'

config forwarding 'lan2wgserver'
        option src 'lan'
        option dest 'wgserver'
        option enabled '0'

config forwarding 'wgserver2lan'
        option src 'wgserver'
        option dest 'lan'
        option enabled '1'

config forwarding 'wgserver2wgserver'
        option src 'wgserver'
        option dest 'wgserver'
        option enabled '0'

config zone 'wgclient'
        option masq6 '0'
        option name 'wgclient'
        option forward 'DROP'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option enabled '0'
        list network 'wgclient'

config forwarding 'wgclient2wan'
        option src 'wgclient'
        option dest 'wan'
        option enabled '0'

config forwarding 'wgclient2lan'
        option src 'wgclient'
        option dest 'lan'
        option enabled '1'

config forwarding 'lan2wgclient'
        option src 'lan'
        option dest 'wgclient'
        option enabled '0'

config forwarding 'guest2wgclient'
        option src 'guest'
        option dest 'wgclient'
        option enabled '0'

AP configs:

"kernel": "4.4.60",
        "hostname": "HendersonStreetLR",
        "system": "ARMv7 Processor rev 4 (v7l)",
        "model": "GL Technologies, Inc. AX1800",
        "board_name": "glinet,ax1800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r16399+165-c67509efd7",
                "target": "ipq807x/ipq60xx",
                "description": "OpenWrt 21.02-SNAPSHOT r16399+165-c67509efd7",
                "tip-revision": "OpenWrt 21.02-SNAPSHOT r16399+165-c67509efd7 / TIP-devel-12b3c198",
                "tip-version": "devel"
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:6bf9:7108::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr '94:83:c4:42:30:b7'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config device
        option name 'eth1'
        option macaddr '94:83:c4:42:30:b7'

config device
        option name 'eth2'
        option macaddr '94:83:c4:42:30:b7'

config device
        option name 'eth3'
        option macaddr '94:83:c4:42:30:b7'

config device
        option name 'eth4'
        option macaddr '94:83:c4:42:30:b7'

config interface 'lan'
        option ipaddr_old '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'br-lan-v99'

config device
        option name 'eth0'
        option macaddr '94:83:c4:42:30:b6'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option metric '10'
        option disabled '1'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '0'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '90'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '98'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'eth0:t'
        list ports 'eth1:u*'
        list ports 'eth2:u*'
        list ports 'eth3:u*'
        list ports 'eth4:u*'

config device
        option type 'bridge'
        option name 'br-lan-v99'
        list ports 'br-lan.99'
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'
        option ignore '1'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option ip '192.168.8.1'
        option name 'HendersonStreetLR'

config domain
        option ip '::ffff:192.168.8.1'
        option name 'HendersonStreetLR'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'disabled'
        option ra 'disabled'

Even though it should be disabled, here is my firewall config as well.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-+'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config nat
        option target 'SNAT'
        list proto 'all'
        option snat_ip '10.0.0.85'
        option src 'lan'

TL;DR:

  • looks like you're running GL-Inet's vendor firmware -- you'll need to ask them for help.
  • Your device MT6000 is supported by the official OpenWrt project -- download the firmware from here
  • The ax1800 is not supported by official OpenWrt, so you'll still need to ask on their support channels, but we can help you with the MT6000 once you are running official OpenWrt.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Thank you so much for the suggestion. I found custom firmware online made for my hardware that is very close to the official OpenWRT firmware. I was able to get it installed and running without issues. I am now able to use my LAN ports as expected and can utilize VLANs on both the router and AP.

Next project.. switching to the official firmware on my router!

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: