Shoot maybe that's why. No I confused with private address space, not assigned. The WAN gateway is Nokia BGW320-505, NATs from a static ip to 192.168.4.0/24 with the 3560 assigning DHCP for both subnets. Any suggestions on improving the config welcome! **Actually I tested changing to 172.16.0.0/25, no change accessing through the WAN on 192.168.4.2/24

Current configuration : 4404 bytes

!

! Last configuration change at 21:17:14 PDT Sat Oct 29 2022

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname cascade

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 informational

no logging console

no logging monitor

enable secret 8 XXX

!

username XXX privilege 15 secret 8 XXX

no aaa new-model

clock timezone PST -8 0

clock summer-time PDT recurring

system mtu routing 1500

!

!

!

!

ip routing

ip options drop

ip dhcp bootp ignore

ip dhcp excluded-address 192.168.4.1 192.168.4.20

ip dhcp excluded-address 192.168.4.100 192.168.4.254

ip dhcp excluded-address 40.0.0.1 40.0.0.20

ip dhcp excluded-address 40.0.0.120 40.0.0.126

!

ip dhcp pool development

 network 192.168.4.0 255.255.255.0

 default-router 192.168.4.2 

 domain-name XXX

 dns-server 1.1.1.1 8.8.8.8 

 option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12 

 lease 0 1

!

 default-router 192.168.4.2 

 domain-name XXX

 dns-server 1.1.1.1 8.8.8.8 

 option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12 

!

!         

ip dhcp pool layover

 network 40.0.0.0 255.255.255.128

 default-router 40.0.0.1 

 domain-name XXX

 dns-server 1.1.1.1 8.8.8.8 

 option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12 

 lease 0 1

!         

!         

ip domain-name XXX

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!         

!         

!         

!         

!         

!         

!         

!         

!         

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!         

!         

!         

!         

vlan internal allocation policy ascending

no cdp run

!         

!         

!         

!         

!         

!         

!         

!         

!         

!         

!         

interface GigabitEthernet0/1

!         

interface GigabitEthernet0/2

!         

interface GigabitEthernet0/3

!         

interface GigabitEthernet0/4

!         

interface GigabitEthernet0/5

!         

interface GigabitEthernet0/6

!         

interface GigabitEthernet0/7

!         

interface GigabitEthernet0/8

!         

interface GigabitEthernet0/9

!     

!         

interface GigabitEthernet0/10

 switchport access vlan 10

 switchport mode access

!         

interface Vlan1

 ip address 192.168.4.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

!         

interface Vlan10

 ip address 40.0.0.1 255.255.255.128

 no ip redirects

 no ip unreachables

 no ip proxy-arp

!         

ip default-gateway 192.168.4.2

ip forward-protocol nd

!         

ip http server

ip http banner

ip http access-class 1

ip http authentication local

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.4.2

ip ssh time-out 60

ip ssh authentication-retries 4

ip ssh version 2

ip ssh server algorithm mac hmac-sha2-512

ip ssh server algorithm encryption aes256-ctr

ip ssh server algorithm kex diffie-hellman-group14-sha1

ip ssh server algorithm hostkey ssh-rsa

ip ssh server algorithm authentication password

ip ssh server algorithm publickey ssh-rsa

ip scp server enable

!         

!         

access-list 1 permit 0.0.0.10 255.255.255.0

access-list 1 permit 0.0.0.11 255.255.255.0

!         

!         

configuration mode exclusive

!         

line con 0

line vty 0 4

 access-class 1 in

 access-class 1 in

 login local

 transport input ssh

line vty 5 15

 access-class 1 in

 login local

 transport input ssh

!         

exception memory ignore overflow processor

exception memory ignore overflow io

ntp server time1.google.com

ntp server time3.google.com

ntp server time4.google.com

ntp server time2.google.com

!         

end  

I dont get, you have LAN and WAN, 
why the default route use LAN not WAN IP (public IP)

if this switch acting as layer3, then you can remove below 

no  ip default-gateway 192.168.4.2 (since you already have routing towards your (Nokia BGW320-505)

Also you need static route back from Nokia BGW320-505 to 192.168.4.1 for the subnet 40.0.0.0/25  ( if this is not allocated to you, i suggest to replace with 172.16.x.x Private address space as you mentioned)

interface Vlan10

 ip address 172.16.x.x  255.255.255.128

Nokia BGW320-505  - not familiar with this router, so check NAT for the 172.16.x.x IP NATted.

The dhcp pool specifies the default router as 192.168.4.2 which is the router. While this works I suggest that it would be better if the default router was the switch ip of 192.168.4.1.

There are several other parts of the config that need some attention, such as the access list 1 used in access-class. But they do not affect your issue about Internet access for vlan 10 so will not spend time on them.

Other than some confusion about what is the IP subnet used for vlan 10 I do not see issues in the switch config that would impact Internet access for vlan 10. I suspect that the issue is on the router. And my best guess (since we have very little detail about the router) is that the router is set up with NAT for 192.168.4.0 and is not set up with NAT for the vlan 10 subnet (which ever subnet that turns out to be).