The setup

I have 3 VLANs

A: 192.168.20.0/24

B: 192.168.40.0/24

C: 192.168.100.0/24

This enforced in a router ER605 v2.0. This router also acts as VPN server:

I have some ACLs that block traffic from A/B => C (and B => A/B) but allow C => A/B. This works fine within the network, I am testing with a phone that connects to the VLAN C and it can ping anything on A or B, when I connect it to the VLAN A it cannot ping anything on C but it can still ping devices within A. So far so good, this is as I wanted

I have a VPN that has a internal pool within 192.168.100.0/24.

The problem

When I disconnect the phone from all WIFIs and connect via VPN it cannot ping anything on any VLAN, not even its own. The phone is indeed given an IP on the VLAN C as expected, typically something like192.168.100.18.

The weird thing is that this started happening today since I did an update to the controller to v5.13.30.20, it was previously v5.8.7. The VPN router was also upgraded in firmware. Before today this exact same setup was working fine, including VPN access