FYI, this is what I'm trying to accomplish: https://kb.netgear.com/30818/How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-internet-access
The only difference (apart from different brand of switch) is that I'm trying to deny WAN access to VLAN100 in the Friendlywrt router instead of using ACL in the switch.
There doesn't seem to be any hit on the firewall coming from the eth1.100. Therefore the packets are somehow bypassing it, even though you have it configured properly. My guess is that your switch is acting as a router and uses another vlan to reach the internet. Remove the vlan interfaces 9 and 100 from the switch. They are not needed and you can access the switch on vlan4095 for management.
It is already set to reject and it is not relevant.
Yes, I have changed that already, on @lleachii 's request.
Also, I'm trying to stop step 2 to 3 for vlan 100 in this traceroute, not 1 to 2:
Will the switch do routing between vlan 9 and 100 without them?
Definitely not.
Wouldn't I see this in the traceroute?
The other vlans have different subnets, 10.25.9.1/24 for vlan 9 and 10.25.1.1/24 for default vlan.
Another thing I can try is use tcpdump and Wireshark to check the packages arriving and how they are tagged.
At this juncture...I would test explicitly putting a block rule to stop forward of traffic from the MAC on 10.25.100.1 from forwarding to WAN.
I think the zone FORWARD is only regarding going to another interface in the zone, not another IP that routes (when I test I get ICMP errors trying to use 2 routers in the same network, so I haven't replicated this 2 router thing - which I still don't understand its need).
I would test by connecting one host directly on the router, that is exclude the switch from the picture. Test with untagged frames, then tag vlans 9 and 100, verify you get dhcp and test access to the internet.
He can also stop forwarding traffic from the Pi to the "switch" running OpenWrt.
(Recall this "switch" is the "OpenWrt device" 
)
Maybe you have a point but if I am not mistaken the switch is not running any *Wrt.
I suppose @Nikotine should clarify that, but the way I understand it, it is:
internet - main OpenWrt Router - FriendlyWrt Router - SomeSwitch
(As I understood, he doesn't have an official device...perhaps he should re-clarify...)
EDIT:
Correct.
I've made you a sketch, lleachii
At this point, it's more a case of whether it can be done, instead of should it be done.
I bought this switch to learn a bit about networking, I'm a pharmacist for Pete's sake
And I still have the feeling that what I want is possible, and that there is speed to gain when not all traffic has to pass the OpenWRT router first for inter-vlan routing on the switch.
Thanks, yes another thing I can try.
Your picture contradicts your statement!
To be clear, we're talking about this device????
OK...true...trying to understand the diagram now...
The "WWW" cloud in the drawing above in fact is another router, running official OpenWRT.
But from the Nanopi's perspective, that's just WAN, so out of the equation here.
That's not true!!!
Are you actually looking at the traceroute?
???
Alrighty, try to test with the Rpi directly connected on the NanoPi, using the proper tags or without tagged frames and verify everything works as it should.
I am afraid this is all we can go, since this is an OpenWrt forum and none of the above mentioned devices are running OpenWrt. Even if FriendlyWrt derives from OpenWrt, we are not able to replicate any issues you might face and you'll have better luck at the support forum of FriendlyWrt.
However I strongly believe that it is not that terrible and you merely were routing with the switch instead of switching.
Yes lleachii, I'm looking.
Again:
10.25.100.2 = virtual router interface on the Brocade switch
10.25.100.1 = interface on the Nanopi running Friendlywrt <= we are talking about this device here
192.168.1.1 = LAN interface on the WRT1900AC router, running official OpenWRT <= as far as the Nanopi is concerned, this is its WAN
192.168.0.1 = WAN interface on the WRT1900AC (connected to ISP router)
I'm trying to stop traffic between 10.25.100.1 and 192.168.1.1, on the Nanopi.
