Locked out when setting up VLAN

I have been trying for hours now, applying different configurations, reading loads of how-tos andcountless forum articles. Whatever I try, I keep getting locked out, when trying to configure a VLAN bridging a WIFI and LAN interface to a VPN. Seems like I am stuck, any hint to get me out would be much appreciated.

Device: Netgear R7800 (Atheros QCA9984) running latest OpenWrt 19.07.6

I have setup 5 Wifi networks. 4 of them should be connected to 4 different VPNs (ProtonVPN). Everything setup and running so far with vpn-policy-routing. 5th wifi is going straight to WAN. Out of the 4 LAN ports at the back of the router, I want to assign 1 port (say no. 4) together with one wifi to one VPN. To get there I have added one VLAN(5) to the switch (port 4, untagged, port no. 4 appears to be 1 in the network config, which is normal). The VLAN(5) is attached to eth1 (tagged). All other LAN ports are untagged in VLAN(2) and attached the eth1, too. The one Wifi (named 'fail') going straight to the WAN (no VPN) is already bridged with VLAN(2) as eth1.2. This part (Wifi 'fail' bridged with 3 remaining LAN ports of VLAN(2)) is working without any issues. All other Wifis connected only to on individual VPN are working as well.
On the firewall I have setup a rule allowing DHCP for each lan network.
So far so good. Everything more or less setup an running. The only thing that is missing is th bridge from wifi 'fgp' to LAN port no. 4 of the router, which is already assigned to VLAN(5), eth1.5. Now, as soon as I change the setup from wireless only to briged I get locked out of the router. I do not get an IP adress via DHCP any more. If I setup an IP manually I cannot get access to LuCi or internet. I cannot even ping the router. The only thing that helps is a reset and reconfiguration. I believe I am creating a loop somewhere. Gone thorugh that many times now. No fun.

I am copying my network config below, reduced to the WIFI with no VPN (fail) and only one WIFI with VPN (fgp). All other WIFI with VPN are configured exactly the same. To keep it simple, I omit 3 of the working wireless VPN nets and reduce only one.

wireless

config wifi-iface 'wifinet0'
	option ssid 'fgp'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option key 'somekey'
	option network 'lanvpn_nz_fgp'

config wifi-iface 'wifinet1'
	option ssid 'fail'
	option encryption 'psk-mixed'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'
	option key 'someotherkey'
network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd62:7ed6:d820::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	list dns '84.200.69.80'
	list dns '84.200.70.40'
	list dns '10.8.8.1'
	list dns '1.1.1.1'
	option delegate '0'
	option ifname 'eth1.2'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.8.8.1'
	list dns '1.1.1.1'
	list dns '84.200.69.80'
	list dns '84.200.70.40'
	option ifname 'eth0.1'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'
	list dns '10.8.8.1'
	list dns '1.1.1.1'
	list dns '84.200.70.40'
	list dns '84.200.69.80'
	option ifname 'eth0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 4 3 2'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 1'
	option vid '5'

config interface 'lanvpn_nz_fgp'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '10.8.8.1'
	list dns '1.1.1.1'
	option delegate '0'
	option ipaddr '192.168.4.1'

config interface 'wan_vpn_nz'
	option ifname 'tun8'
	option proto 'none'
	option delegate '0'
firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wan_vpn_nz'
	option mtu_fix '1'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option network 'wan_vpn_nz'
	option input 'REJECT'
	list device 'tun8'

config zone
	option input 'ACCEPT'
	option name 'lan_vpn_nz'
	option output 'ACCEPT'
	option network 'lanvpn_nz_fgp'
	list device 'tun8'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan_vpn_nz'
	option src 'lan_vpn_nz'

config rule
	option src_port '68'
	option src 'lan_vpn_nz'
	option name 'Allow-vpnnz-DHCPv4-Input'
	option target 'ACCEPT'
	option dest_port '67'
	list proto 'udp'