Trunk port1 on DD-WRT AP (vlan1 and vlan3) is connected by cable to OpenWrt eth2.
As you suggested I added guest interface which has device eth2.3. I changed it from eth1.2 as cable is connected to OpenWrt eth2. And for guest I use vlan tag 3 - some DD-WRT or router specific reasons for that. Guest network is 192.168.3.0/24
As far as I understand eth2.1 stands for vlan1 tag on eth2. For nothing else is eth2.1 being used in my configuration. At least by intention - my knowledge might be limited here.
So 192.168.1.0/24 yes, but 192.168.1.0/24 is shared with OpenWrt's managed lan (24-port switch connected to OpenWrt eth1).
Without adding eth2.1 to br-lan, devices connected to vlan1 on DD-WRT had no access to lan, wan nor guest. They didn't even get DHCP.
Additionally I added
config forwarding
option src 'lan'
option dest 'guest'
to firewall for devices in lan to access iot devices in guest network.
I also enabled AP isolation on DD-WRT router for client isolation.
Only thing that is unsolved at the moment is guest access to lan exception by client mac address to allow certain guest devices to access certain resources in lan zone.