The only difference (apart from different brand of switch) is that I'm trying to deny WAN access to VLAN100 in the Friendlywrt router instead of using ACL in the switch.
There doesn't seem to be any hit on the firewall coming from the eth1.100. Therefore the packets are somehow bypassing it, even though you have it configured properly. My guess is that your switch is acting as a router and uses another vlan to reach the internet. Remove the vlan interfaces 9 and 100 from the switch. They are not needed and you can access the switch on vlan4095 for management.
At this juncture...I would test explicitly putting a block rule to stop forward of traffic from the MAC on 10.25.100.1 from forwarding to WAN.
I think the zone FORWARD is only regarding going to another interface in the zone, not another IP that routes (when I test I get ICMP errors trying to use 2 routers in the same network, so I haven't replicated this 2 router thing - which I still don't understand its need).
I would test by connecting one host directly on the router, that is exclude the switch from the picture. Test with untagged frames, then tag vlans 9 and 100, verify you get dhcp and test access to the internet.
At this point, it's more a case of whether it can be done, instead of should it be done.
I bought this switch to learn a bit about networking, I'm a pharmacist for Pete's sake
And I still have the feeling that what I want is possible, and that there is speed to gain when not all traffic has to pass the OpenWRT router first for inter-vlan routing on the switch.
The "WWW" cloud in the drawing above in fact is another router, running official OpenWRT.
But from the Nanopi's perspective, that's just WAN, so out of the equation here.
Alrighty, try to test with the Rpi directly connected on the NanoPi, using the proper tags or without tagged frames and verify everything works as it should.
I am afraid this is all we can go, since this is an OpenWrt forum and none of the above mentioned devices are running OpenWrt. Even if FriendlyWrt derives from OpenWrt, we are not able to replicate any issues you might face and you'll have better luck at the support forum of FriendlyWrt.
However I strongly believe that it is not that terrible and you merely were routing with the switch instead of switching.
Yes lleachii, I'm looking.
Again:
10.25.100.2 = virtual router interface on the Brocade switch
10.25.100.1 = interface on the Nanopi running Friendlywrt <= we are talking about this device here
192.168.1.1 = LAN interface on the WRT1900AC router, running official OpenWRT <= as far as the Nanopi is concerned, this is its WAN
192.168.0.1 = WAN interface on the WRT1900AC (connected to ISP router)
I'm trying to stop traffic between 10.25.100.1 and 192.168.1.1, on the Nanopi.