Can ping VLAN but no other traffic goes through on wireguard

I have this setup (simplified for the sake of being keeping it simple)

and this is my config:

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "Malital12-MR",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "Xiaomi Mi Router 4A V2 (100M Edition)",
	"board_name": "xiaomi,mi-router-4av2-100m",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config globals 'globals'
	option ula_prefix 'fde3:1af6:376b::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable '1'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '6t 2t'
	option description 'APT07'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option ports '6t 2t'
	option description 'APT08'

config switch_vlan
	option device 'switch0'
	option vlan '9'
	option ports '6t 2t'
	option description 'APT09'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '6t 2t'
	option description 'APT10'

config switch_vlan
	option device 'switch0'
	option vlan '11'
	option ports '6t 2t'
	option description 'APT11'

config switch_vlan
	option device 'switch0'
	option vlan '12'
	option ports '6t 2t'
	option description 'APT12'

config switch_vlan
	option device 'switch0'
	option ports '6t 2t'
	option vlan '13'
	option description 'APT13'

config switch_vlan
	option device 'switch0'
	option ports '6t 0'
	option vlan '53'
	option description 'wan'

config switch_vlan
	option device 'switch0'
	option ports '6t 4'
	option vlan '69'
	option description 'CAM/NVR/LIFT'

config switch_vlan
	option device 'switch0'
	option ports '6t'
	option vlan '99'
	option description 'temp'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.7'
	option type '8021q'
	option ifname 'eth0'
	option vid '7'
	option ipv6 '0'

config device
	option name 'eth0.8'
	option type '8021q'
	option ifname 'eth0'
	option vid '8'
	option ipv6 '0'

config device
	option name 'eth0.9'
	option type '8021q'
	option ifname 'eth0'
	option vid '9'
	option ipv6 '0'

config device
	option name 'eth0.10'
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option ipv6 '0'

config device
	option name 'eth0.11'
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option ipv6 '0'

config device
	option name 'eth0.12'
	option type '8021q'
	option ifname 'eth0'
	option vid '12'
	option ipv6 '0'

config device
	option name 'eth0.13'
	option type '8021q'
	option ifname 'eth0'
	option vid '13'
	option ipv6 '0'

config device
	option name 'eth0.53'
	option type '8021q'
	option ifname 'eth0'
	option vid '53'
	option ipv6 '0'

config device
	option name 'eth0.69'
	option type '8021q'
	option ifname 'eth0'
	option vid '69'
	option ipv6 '0'

config device
	option name 'eth0.99'
	option type '8021q'
	option ifname 'eth0'
	option vid '99'
	option ipv6 '0'

config device
	option name 'br-private'
	option type 'bridge'
	list ports 'eth0.69'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.99'
	option ipv6 '0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'
	option mtu '1500'

config device
	option name 'phy1-ap0'
	option ipv6 '0'
	option mtu '1500'

config interface 'APT07'
	option proto 'static'
	option device 'eth0.7'
	option ipaddr '192.168.52.1'
	option netmask '255.255.255.0'

config interface 'APT08'
	option proto 'static'
	option device 'eth0.8'
	option ipaddr '192.168.53.1'
	option netmask '255.255.255.0'

config interface 'APT09'
	option proto 'static'
	option device 'eth0.9'
	option ipaddr '192.168.54.1'
	option netmask '255.255.255.0'

config interface 'APT10'
	option proto 'static'
	option device 'eth0.10'
	option ipaddr '192.168.55.1'
	option netmask '255.255.255.0'

config interface 'APT11'
	option proto 'static'
	option device 'eth0.11'
	option ipaddr '192.168.56.1'
	option netmask '255.255.255.0'

config interface 'APT12'
	option proto 'static'
	option device 'eth0.12'
	option ipaddr '192.168.57.1'
	option netmask '255.255.255.0'

config interface 'APT13'
	option proto 'static'
	option device 'eth0.13'
	option ipaddr '192.168.58.1'
	option netmask '255.255.255.0'

config interface 'PRIVATE'
	option proto 'static'
	option device 'br-private'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.59.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth0.53'
	option proto 'static'
	option ipaddr '192.168.0.191'
	option gateway '192.168.0.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.0.255'
	option dns '192.168.0.1'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'


config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.60.1/24'
#	list addresses 'fd00:9::1/64'

config wireguard_vpn 'wg_mobile'
	option description 'wg_mobile'
	option private_key ''
	option public_key ''
	option preshared_key ''
	list allowed_ips '192.168.60.2/32'
#	list allowed_ips 'fd00:9::2/128'

config wireguard_vpn 'wg_pc'
	option description 'wg_pc'
	option private_key ''
	option public_key ''
	option preshared_key ''
	list allowed_ips '192.168.60.3/32'
#	list allowed_ips 'fd00:9::3/128'

config wireguard_vpn 'wg_laptop'
	option description 'wg_laptop'
	option private_key ''
	option public_key ''
	option preshared_key ''
	list allowed_ips '192.168.60.4/32'
#	list allowed_ips 'fd00:9::4/128'

cat /etc/config/dhcp

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '7'

config dnsmasq
	option cachesize '1000'
	option domain 'lan'
	option domainneeded '1'
	option ednspacket_max '1232'
	option expandhosts '1'
	option leasefile '/tmp/dhcp.leases'
	option local '/lan/'
	option localise_queries '1'
	option localservice '1'
	option logqueries '0'
	option logdhcp '0'
	option readethers '1'
	option rebind_localhost '1'
	option rebind_protection '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option authoritative '1'

config dhcp 'APT07'
	option interface 'APT07'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT08'
	option interface 'APT08'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT09'
	option interface 'APT09'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT10'
	option interface 'APT10'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT11'
	option interface 'APT11'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT12'
	option interface 'APT12'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'APT13'
	option interface 'APT13'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'PRIVATE'
	option interface 'PRIVATE'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'APT07'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT07'

config zone
	option name 'APT08'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT08'

config zone
	option name 'APT09'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT09'

config zone
	option name 'APT10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT10'

config zone
	option name 'APT11'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT11'

config zone
	option name 'APT12'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT12'

config zone
	option name 'APT13'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'APT13'

config zone
	option name 'PRIVATE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'PRIVATE'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'APT07'

config forwarding
	option src 'lan'
	option dest 'APT08'

config forwarding
	option src 'lan'
	option dest 'APT09'

config forwarding
	option src 'lan'
	option dest 'APT10'

config forwarding
	option src 'lan'
	option dest 'APT11'

config forwarding
	option src 'lan'
	option dest 'APT12'

config forwarding
	option src 'lan'
	option dest 'APT13'

config forwarding
	option src 'lan'
	option dest 'PRIVATE'

config forwarding
	option src 'APT07'
	option dest 'wan'

config forwarding
	option src 'APT08'
	option dest 'wan'

config forwarding
	option src 'APT09'
	option dest 'wan'

config forwarding
	option src 'APT10'
	option dest 'wan'

config forwarding
	option src 'APT11'
	option dest 'wan'

config forwarding
	option src 'APT12'
	option dest 'wan'

config forwarding
	option src 'APT13'
	option dest 'wan'

config forwarding
	option src 'PRIVATE'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'APT07'
	option dest 'lan'

config forwarding
	option src 'APT08'
	option dest 'lan'

config forwarding
	option src 'APT09'
	option dest 'lan'

config forwarding
	option src 'APT10'
	option dest 'lan'

config forwarding
	option src 'APT11'
	option dest 'lan'

config forwarding
	option src 'APT12'
	option dest 'lan'

config forwarding
	option src 'APT13'
	option dest 'lan'

config forwarding
	option src 'PRIVATE'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-PRIVATE'
	list proto 'udp'
	option src 'APT13'
	option dest_port '67'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

When I ping 192.168.58.3 and 192.168.58.4 from the laptop or from the main router (192.168.59.1) or from a device connected via wireshark VPN I get a reply and tcpdump shows this traffic:

13:38:12.836892 vpn   In  IP 192.168.60.3 > 192.168.58.3: ICMP echo request, id 1, seq 34840, length 40
13:38:12.837092 eth0.13 Out IP 192.168.60.3 > 192.168.58.3: ICMP echo request, id 1, seq 34840, length 40
13:38:12.838801 eth0  In  IP 192.168.58.3 > 192.168.60.3: ICMP echo reply, id 1, seq 34840, length 40
13:38:12.838801 eth0.13 In  IP 192.168.58.3 > 192.168.60.3: ICMP echo reply, id 1, seq 34840, length 40
13:38:12.838925 vpn   Out IP 192.168.58.3 > 192.168.60.3: ICMP echo reply, id 1, seq 34840, length 40

When I try to wget http://192.168.58.3 from the main router (192.168.59.1) I get a connection and download the index.html. Again tcpdump again shows the connection happening:

14:21:26.481041 eth0.13 Out IP 192.168.58.1.40320 > 192.168.58.3.80: Flags [S], seq 1904221898, win 64240, options [mss 1460,sackOK,TS val 3078947386 ecr 0,nop,wscale 3], length 0
14:21:26.481603 eth0  In  IP 192.168.58.3.80 > 192.168.58.1.40320: Flags [S.], seq 2926815483, ack 1904221899, win 5792, options [mss 1460,sackOK,TS val 190378881 ecr 3078947386,nop,wscale 1], length 0
14:21:26.481603 eth0.13 In  IP 192.168.58.3.80 > 192.168.58.1.40320: Flags [S.], seq 2926815483, ack 1904221899, win 5792, options [mss 1460,sackOK,TS val 190378881 ecr 3078947386,nop,wscale 1], length 0
14:21:26.481878 eth0.13 Out IP 192.168.58.1.40320 > 192.168.58.3.80: Flags [.], ack 1, win 8030, options [nop,nop,TS val 3078947387 ecr 190378881], length 0
14:21:26.483471 eth0.13 Out IP 192.168.58.1.40320 > 192.168.58.3.80: Flags [P.], seq 1:37, ack 1, win 8030, options [nop,nop,TS val 3078947389 ecr 190378881], length 36: HTTP: GET / HTTP/1.1
14:21:26.484224 eth0  In  IP 192.168.58.3.80 > 192.168.58.1.40320: Flags [.], ack 37, win 2896, options [nop,nop,TS val 190378881 ecr 3078947389], length 0
14:21:26.484224 eth0.13 In  IP 192.168.58.3.80 > 192.168.58.1.40320: Flags [.], ack 37, win 2896, options [nop,nop,TS val 190378881 ecr 3078947389], length 0

but when I try to access the webpage on 192.168.58.3 from a device conntect via wireshark I cannot connect and tcpdump is showing:

13:38:43.756442 vpn   In  IP 192.168.60.3.3046 > 192.168.58.3.80: Flags [S], seq 2417522768, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
13:38:43.756649 eth0.13 Out IP 192.168.60.3.3046 > 192.168.58.3.80: Flags [S], seq 2417522768, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
13:38:44.021440 vpn   In  IP 192.168.60.3.3047 > 192.168.58.3.80: Flags [S], seq 79074374, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
13:38:44.021651 eth0.13 Out IP 192.168.60.3.3047 > 192.168.58.3.80: Flags [S], seq 79074374, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

What am I missing? Thanks