Cannot connect across subnets of different VLANs

Hello, I want to configure my network to achieve these:

1. IoT devices should be able to access WAN
2. IoT devices should NOT be able to access LAN
3. LAN devices should be able to access IoT
4. Devices of IoT and LAN connect via different SSID

I use VLAN and multiple SSIDs to divide my network to achieve those and have accomplished 1, 2, 4, except the 3.
I tested 3 using the ping command, from devices in LAN or IoT, resulting in request timeout.

Please help me find out what is wrong, thank you

My network looks like this:
OpenWRT(router) --- Switch --- APs --- all devices

Below are the configurations of the interfaces and firewall on the OpenWRT router.

Please let me know if I should attach any other info.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:9dd4:8530::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '6c:b0:ce:11:98:ef'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username 'REMOVED'
	option password 'REMOVED'
	option ipv6 'auto'
	option peerdns '0'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '6c:b0:ce:11:98:f0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 4'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 1t'
	option vid '8'

config interface 'IOT'
	option proto 'static'
	option ifname 'eth0.8'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'LAN2IOT'
	option dest 'IOT'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option name 'IOT2LAN'
	option src 'IOT'
	option dest 'lan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'IOT'
	option name 'IOT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'IOT'

config forwarding
	option dest 'wan'
	option src 'IOT'

config forwarding
	option dest 'IOT'
	option src 'lan'

All APs broadcasts 2 SSID:
SSID-IoT, of VLAN ID 8, for IoT devices
SSID-LAN, of VLAN ID 1, for LAN devices

Some device's firewalls are too paranoid allowing access only from the same subnet.
You can enable masquerading on the destination zone to work around the problem.

The VLAN config also looks weird compared to the documentation:
https://openwrt.org/docs/guide-user/network/vlan/creating_virtual_switches

Thank you for the really fast reply!

I'll learn about masquerading and give it a try.

.. however, it is currently allowed by your firewall configuration:

I presume you added these sections in an attempt to make LAN to IOT connections work. Remove them to deny access from IOT to LAN as desired.

For LAN to IOT communication, they are not needed, since the reverse direction is automatically allowed for known connections.

Thanks. Now I have removed the rule IOT2LAN as well as the forwarding from IOT to lan