Wired connections to WRT3200ACM have suddenly lost internet connection

I have Linksys WRT3200ACM running OpenWRT 22.02.03 behind ISP modem/router. Router has been working flawlessly for over a year. Suddenly, wired connections to WRT3200ACM have no internet connection.

I can ping router on wired connection, e.g. ping 192.168.1.1.

I can ssh into router on wired connection and successfully ping remote sites, e.g. ping google.com.

I can't ping gateway on wired connection, e.g. ping 192.168.0.1. "Destination Port Unreachable" . No internet.

I can't ping remote site on wired connection, e.g. ping google.com returns "unknown host" meaning no internet connection.

I don't recall making any changes to config but clearly something has changed.

Something with the routing, e.g. "Destination Port Unreachable". Router has worked flawlessly for over a year with a heavy load. Something has changed. What?

Reinstall?

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

config rule
        option name 'SSH'
        option dest_port '22 '
        option target 'ACCEPT'
        list proto 'tcp'
        option src 'wan'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd18:c9a3:305f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'ea:9f:80:1c:8c:a8'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'nordvpntun'
        option proto 'none'
        option device 'tun0'

config rule
        option lookup '100'
        option src '192.168.0.11/32'

config route
        option target '0.0.0.0/0'
        option table '100'
        option interface 'wan'
        option gateway '192.168.0.1'

I'd start by looking at your VPN connection... that is probably not working properly.

Also, masquerading should not be enabled on the lan firewall zone, and you should remove the following things:

VPN client has been working. I have turned off VPN via luci to get things going again.

I added those things to network by your recommendation and it enabled me to to ssh into router remotely. I'll give you a link to post. You. You solved a big problem.

I'll turn off masquerading and give it another try. I appreciate your help.

...

no change after turning off masquerading. VPN not active.

...I can ssh into router and ping remote sites. So router sees the gateway 192.168.0.1. Everything has been working like a dream for over a year. People go on and on about wireless issues with this router but it is renowned for it's wired performance. Don't get it. I have wired connection. Would tcpdump or system logs give us a clue?

Sounds like a DNS issue. Can you ping 9.9.9.9 e.g. from a client? Check logread for errors, specifically dnsmasq ones.

P.S. Please edit your post instead of replying to yourself all the time.

not from clients of router. "Destination Port Unreachable"' e.g. no internet, can't reach gateway. I can ssh to router
(host) and ping remote sites.

ssh root@192.168.1.1
ping google.com

but not

ping google.com.

I'd backup your configuration, then reset to defaults, if that is indeed working, add your modifications but by bit, and reboot liberally in between to try and narrow it down.

The issue is that I have not changed any configuration. Don't have a clue. Security?

For the record, this wasn't me... the marked solution was from @pavelgl . I would have to read through your old thread to understand the full context for the suggested rule + route, but I think it might be easier to do as @Borromini suggests.

That said, is the upstream router working properly?

Run this command to see if it makes a difference.

nft insert rule inet fw4 forward iifname "br-lan" accept