Good evening everybody,
I have been trying to make this work since quite a while but failed with what ever I tried.. I hope some one here could help me ... 
thanks a lot in advance!
I set up a DMZ for my IOT devices (interface "LAN_IOT") and a zone for the "normal" LAN devices (interface "lan"). The problem now is: I am not able to access the IOT devices from the lan whatever I try... please refer to my config files below. I have changed and experimented quite a lot but without success.
Some background to my setting: I am running a TP-Link TL-WR1043N/ND v4 with OpenWrt 18.06.1 r7258-5eb055306f (just upgraded today) behind my ISP router. All but one network devices are attached by Wifi except one devices (IP phone base station connected by ethernet patch cable).
Thanks a lot!
Best
Markus
/etc/config/wirless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca956x_wmac'
option htmode 'HT20'
option legacy_rates '1'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'lan'
option encryption 'psk2+ccmp'
option key 'pw'
option wpa_disable_eapol_key_retries '1'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option isolate '1'
option encryption 'psk2+ccmp'
option wpa_disable_eapol_key_retries '1'
option key 'pw'
option network 'Guest_LAN'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'IOT'
option network 'IOT_LAN'
option isolate '1'
option encryption 'psk2+ccmp'
option key 'Ipw'
option wpa_disable_eapol_key_retries '1'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.30.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'macaddr'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '98:de:d0:c1:f4:0f'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 2'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 4'
config interface 'MGM_LAN'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 3'
config interface 'IOT_LAN'
option proto 'static'
option ifname 'eth0.4'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'Guest_LAN'
option proto 'static'
option ipaddr '192.168.80.1'
option netmask '255.255.255.0'
option type 'bridge'
/etc/config/firewall
config rule
option target 'ACCEPT'
option src 'lan'
option name 'LAN_AccessTP'
option dest_ip '192.168.30.1'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'LAN_AccessIPPhoneBase'
option dest_ip '192.168.50.194'
option dest 'IOT_LAN'
option dest_port '80'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'GUEST_LAN_DNS'
option src 'Guest_LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'GUEST_LAN_DHCP'
option src 'Guest_LAN'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'LAN_DNS'
option dest_port '53'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'LAN_DHCP'
option dest_port '67-68'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'IOT_LAN_DNS'
option src 'IOT_LAN'
config rule
option target 'ACCEPT'
option src 'IOT_LAN'
option name 'IOT_LAN_DHCP'
option dest_port '67-68'
config rule
option src 'Guest_LAN'
option name 'GUEST_LAN_BlockISPLAN'
option dest 'wan'
option dest_ip '192.168.1.1/24'
option target 'REJECT'
config rule
option src 'Guest_LAN'
option name 'GUEST_LAN_BlockTPRouter'
option target 'REJECT'
option dest_ip '192.168.80.1'
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
option input 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest_LAN'
option output 'ACCEPT'
option network 'Guest_LAN'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'MGM_LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'MGM_LAN'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'Guest_LAN'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'IOT_LAN'
option network 'IOT_LAN'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'IOT_LAN'
config forwarding
option dest 'Guest_LAN'
option src 'MGM_LAN'
config forwarding
option dest 'IOT_LAN'
option src 'MGM_LAN'
config forwarding
option dest 'wan'
option src 'MGM_LAN'
config forwarding
option dest 'IOT_LAN'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'MGM_LAN'
config rule
option enabled '1'
option src 'IOT_LAN'
option name 'IOT_LAN_BlockISPLAN'
option dest_ip '192.168.1.1/24'
option dest 'wan'
option target 'REJECT'