Need help - Interzone traffic between 2 zones

My router is setup with 6 vlans
vlan 10 - LAN (Admin),
vlan 20 - Host
vlan 30 - Guest
vlan 50 - IOT
vlan 60 - USA
vlan 70 - IND

  • Each has its own interface and a wifi AP
  • Each VLAN is setup with a dedicated firewall zone with appropriate rules.
  • I want to access IOT (50.x) from Host (20.x).
    • I setup the firewall rule to allow traffic from any IP in Host (20.x) to a host (50.11) in IOT. But I can't reach it (no TCP, UDP or ICMP traffic goes through)
  • I thought maybe I messed up and relaxed the rule to allow traffic from any IP in 20.x to any IP in 50.x. However other hosts on 50.x are accessible from 20.x but not 50.11.
  • I'm also using Policy Based Routing for conditionally routing outbound internet traffic based on subnets
  • Within 50.x all devices can talk to each other including 50.11 no problem

Can someone help me identify and fix the issue

Here is my network and firewall configs

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan5'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option delegate '0'

config device
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '60'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '70'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'Host'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.50'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config interface 'USA'
	option proto 'static'
	option device 'br-lan.60'
	option ipaddr '192.168.60.1'
	option netmask '255.255.255.0'

config interface 'IND'
	option proto 'static'
	option device 'br-lan.70'
	option ipaddr '192.168.70.1'
	option netmask '255.255.255.0'

config interface 'WG_IOT'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxx'
	list addresses 'xx.xx.xx.xx'
	list addresses 'xxxx.xxxx.xxxx'
	list dns 'xx.xx.xx.xx'
	list dns 'xxxx.xxxx.xxxx'

config interface 'tun0'
	option proto 'none'
	option device 'tun0'

config wireguard_WG_IOT
	option description 'Imported peer configuration'
	option public_key 'xxxxxxx'
	option preshared_key 'xxxxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '15'
	option endpoint_host 'xx.xx.xx.xx'
	option endpoint_port '1637

Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'host'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Host'

config rule
	option name 'Allow_Host_DHCP_DNS'
	option src 'host'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'host'
	option dest 'wan'

config zone
	option name 'guest'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow_Guest_DHCP_DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow_IOT_DHCP_DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'IOT'

config zone
	option name 'usa'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'USA'

config forwarding
	option src 'usa'
	option dest 'wan'

config rule
	option name 'Allow_USA_DHCP_DNS'
	option src 'usa'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'ind'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'IND'

config rule
	option name 'Allow_IND_DHCP_DNS'
	option src 'ind'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow_Host_IOT_Plex_Access'
	option src 'host'
	option dest 'iot'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list dest_ip '192.168.50.11'
	option dest_port '32400'

config zone
	option name 'wg_iot'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'WG_IOT'
	option masq '1'

config forwarding
	option src 'wg_iot'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'iot'
	option dest 'wg_iot'

config redirect
	option dest 'iot'
	option target 'DNAT'
	option name 'Plex'
	option family 'ipv4'
	option src 'wg_iot'
	option src_dport '32120'
	option dest_ip '192.168.50.11'
	option dest_port '32400'
	option enabled '1'

config redirect
	option dest 'iot'
	option target 'DNAT'
	option name 'SomeService'
	option family 'ipv4'
	option src 'wg_iot'
	option src_dport 'xxxx'
	option dest_ip '192.168.50.11'
	option dest_port 'xxxx'
	option enabled '1'

config zone
	option name 'tun0'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'tun0'
	option masq '1'

config forwarding
	option src 'ind'
	option dest 'tun0'

config forwarding
	option src 'tun0'
	option dest 'wan'

Is the firewall at device 50.11 configured to accept traffic from 20.x?

I've not configured any firewall rules on 50.11 looking at iptables dump on the host nothing stands out

Wha is interesting to note is if I allow LAN --> IOT, I can access 50.11 from LAN (10.x) zone but not from HOST (20.x) zone

Didn't change any other firewall rule on the router