I have seen your post on Reddit and I'll answer the same here. I think you are trying too change too many things at once causing a potential order of operations issue. You should start with changing the native VLANs towards the AP's (assuming you don't configure mgmt VLAN on AP's of course) and let them come online again on their new VLAN.  Maybe verify the DNS queries/responses towards the AP's are going both directions. Then before changing the native VLAN config between MX and MS I would first try to change the mgmt VLAN on the switch and see if it comes up with or without the DNS issue.  So make sure your VLAN 21 is passed between MX LAN ports and MS uplink port.  Maybe verify you on the switch you can actually see the MX MAC address on VLAN 21 before you actually change the MGMT VLAN.  Then do all your DNS testing with captures just to see if everything else works (VPN is passing the requests responses). Then finally if that step works change the native VLAN on the switch first and wait for it and then do the change on the MX too.  If that fails there is clearly a layer 2 issue.  Normally if you don't have secondary links or weird links between HA pair MX then you shouldn't have these problems however it can sometimes occur that a change does not fully go through on the switch without rebooting it causing dashboard to think the VLAN config is correct but the switch itself is not acting like it. There should be someone onsite that has the ability to place their pc/laptop in the 1.1.1.0/24 range so you can try to locally reach the switch on 1.1.1.100 and login locally to check what area the switch is failing and if needed to change the uplink native vlan locally. ... View more