My reading of the man page seems to indicate that the 'to' address must be a gateway, not a broadcast address. Maybe try it with just dup to "br-iot" and see if that works?
Table 72. Dup statement values
┌───────────┬───────────────────────────────────────────────────┬───────────────────────────────────────────────────┐
│Expression │ Description │ Type │
├───────────┼───────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
│address │ Specifies that the copy of the packet should be │ ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can │
│ │ sent to a new gateway. │ use a mapping, e.g. ip saddr map { 192.168.1.2 : │
│ │ │ 10.1.1.1 } │
├───────────┼───────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
│device │ Specifies that the copy should be transmitted via │ string │
│ │ device. │ │
└───────────┴───────────────────────────────────────────────────┴───────────────────────────────────────────────────┘
Using the dup statement.
...
# copy raw frame to another interface
netdev ingress dup to "eth0"
dup to "eth0"