How do I configure vlans in a way that lets me access my home server?

I am very new to OpenWRT and vlan configuration.

I want to set up two separate vlans: one for my main devices (PC, server, phones, etc) and one for devices that I want isolated from the rest of the network (Alexa, SmartTV, etc).

I followed OneMarcFly's guide, specifically with vlan filtering outlined here: https://youtu.be/qeuZqRqH-ug?t=862

To summarize my setup:

I have a Linksys WRT1200AC with OpenWRT installed.
The WAN port is connected to my modem.
LAN port 1 is connected to my Netgear Orbi in Access Point mode.
LAN port 2 is connected to my home server.
LAN port 3 is connected to my main PC.
LAN port 4 is connected to my secondary PC.

My filtering setup for br-lan looked like this:

I proceeded to assign my LAN interface to br-lan.1:

The results:
The internet still works, but I can no longer access the WebUI of my home server(LAN port 2) from my main PC (LAN port 3). The same goes for all my docker containers I have WebUIs for (Pi-hole, Nextcloud, etc)

Taking into account the goals I outlined at the top of this post, can anyone point out what's incorrect in my configuration? What should I be doing to ensure my home server (connected to LAN port 2) and main PC (connected to LAN port 3) are on the same vlan network, and can easily access each other.
Also, how do I ensure smart devices like Alexa and AndroidTVs are on the separate vlan I created? (br-lan.3)

Are there any beginner-friendly resources that explain this clearly? There is still a lot of networking terminology I'm unfamiliar with.

There is a guide which should be applicable for your case.
In any case if something is not working it's better to share the following:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user

Thank you for the guide.
I am still a bit confused as to what tagging achieves. The configuration in that guide doesn't take into account the access point I am trying to configure on lan1.
My access point is a Netgear Orbi in AP mode, and I would like there to be two separate wireless networks available to connect to, which connect to two different interfaces on my OpenWRT router. One for my main devices, and one for IOT devices. Kind of like how people separate their home wi-fi from their guest wi-fi.

I actually did set up a Guest Network from within the Orbi's web interface (so I have both home and wi-fi networks) but it's meaningless because they both connect to the same interface on OpenWRT, and devices on the Orbi's guest network can connect to the OpenWRT Luci interface. I know wi-fi networks within openwrt can be configured to use a specific interface, but what about non-openwrt access points connected to a specific port?

Here are the logs from the command you provided (i currently have my br-lan interface assigned to the device "br-lan" instead of the software vlan, because the latter is what was causing my problem):

        "kernel": "5.10.89",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1200AC",
        "board_name": "linksys,wrt1200ac",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "Divested-WRT",
                "version": "SNAPSHOT",
                "revision": "r18457+11-4b587f2561",
                "target": "mvebu/cortexa9",
                "description": "Divested-WRT SNAPSHOT r18457+11-4b587f2561"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option vlan_filtering '0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr 'redacted'
        list dns 'redacted'
        option device 'br-lan'

config device
        option name 'wan'
        option macaddr 'redacted'

config interface 'wan'
        option device 'wan.2'
        option proto 'pppoe'
        option password 'redacted'
        option ipv6 'auto'
        option username 'redacted'
        option peerdns '0'
        list dns '84.200.69.80'
        list dns '84.200.70.40'

config interface 'wan6'
        option device 'wan.2'
        option proto 'pppoe'
        option username 'redacted'
        option password 'redacted'
        option ipv6 'auto'

config interface 'IOT'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr 'redacted.redacted.23.1'
        list dns 'redacted'
        option device 'br-lan.3'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '2'
        option name 'wan.2'
        option macaddr 'redacted'
        option ipv6 '0'

config device
        option name 'eth0'

config device
        option name 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'redacted'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option macaddr 'redacted'
        option ssid 'IOT'
        option encryption 'redacted'
        option key 'redacted'
        option network 'IOT'
        option isolate '1'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'redacted'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option macaddr 'redacted'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config host
        option name 'Homeserver'
        option dns '1'
        option mac 'redacted'
        option ip 'redacted'

config host
        option name 'OrbiRouter'
        option dns '1'
        option mac 'redacted'
        option ip 'redacted'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config zone
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'IOT'
        list network 'IOT'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'IOT'

config rule
        option name 'IOT DHCP DNS'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option src 'IOT'

The Netgear Orbi must be configured to tag frames on the ethernet port which connects upstream to the OpenWrt and also assign the SSID to specific vlan.

vlan_filtering needs to be enabled.

device must be br-lan.1

There is no need to mark vlan1 as primary for lan2-4. They are untagged ports and only untagged frames belonging to vlan1 are expected to ingress this interface.

Alright, I've put vlan tagging on my Wi-Fi aside for now.

I have now created two vlan IDs for untagged ports, one for my main lan (br-lan.1) and one for IOT (br-lan.11). I assigned lan1-3 on id 1, and lan4 on id 11.


(lan4 has no link because I haven't turned it on yet. it still shouldn't affect my main br-lan.1 interface though)

I then assigned the LAN interface to br-lan.1 and the IOT interface to br-lan.11.

It does not work. When I click save and apply, it times out waiting for changes to propagate and I can no longer access the openwrt interface from my main PC on br-lan.1. I have to turn off & on my router to fix it.

You could force apply unchecked, however if there is some mistake you'll get locked out.
The easiest way to bypass that is to create a new management interface and assign it to a new ssid. After you are able to connect to the device over this dedicated management ssid, perform the changes and verify that everything is applied.

But the problem is the vlans simply aren't working. There's no point in creating a new interface when my main PC literally cannot interact with my server on the same vlan, be it through a web interface or through network shares.

The other thing you could try is to use a stable version instead of a snapshot.