Nftables between lans (as vlans)

I'm back for some help. Thanks in advance for clearing up my confusion.

My setup for this thread is:

DotQSwitch as the bridge

DotQSwitch.5, .10, .15....

Rules in place:

DotQSwitch.5 "allow fwd to dest zones" .10,.15,.20,.25

DotQSwitch.20 "allow fwd to dest zones" WAN

When a device in DotQswitch.5 initiates a TCP connect to a device in .20 I Thought

ct state established,related accept comment "!fw4: Allow forwarded established and related flows"`

Which, is the default in all chains (FWD, IN, OUT), would track that and allow the return traffic.

What actually happens is the traffic is dropped (for TCP the SYN ACK is blocked and for UDP I get ICMP port unreachable)

Of course if I make a traffic rule allowing from .20 to .5 for these sets of ports and protocols traffic is allowed so it isn't a "networking" issue per se'.

What am I missing? BTW fw logging returns:

reject DotQSwitch.20 forward:

and this is the foward chain:

        chain forward {
                type filter hook forward priority filter; policy drop;

                meta l4proto { tcp, udp } flow offload @ft;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"

Thoughts?

Can I improve the question in some way?

Provide your /etc/config/network and /etc/config/firewall

@jow Thank you for the feedback - here are the details. I am not sure my understanding is correct about related established.

/etc/config/newtork

 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'device1'
        option bridge_empty '1'
        option name 'DotQSwitch'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option type 'bridge'
        option stp '1'

config bridge-vlan 'bridge_vlan1'
        option device 'DotQSwitch'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        option vlan '5'

config bridge-vlan 'bridge_vlan2'
        option device 'DotQSwitch'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        option vlan '10'

config bridge-vlan 'bridge_vlan3'
        option device 'DotQSwitch'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        option vlan '15'

config bridge-vlan 'bridge_vlan4'
        option device 'DotQSwitch'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        option vlan '20'

config bridge-vlan 'bridge_vlan5'
        option device 'DotQSwitch'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        option vlan '25'

config interface 'Int5'
        option proto 'static'
        option device 'DotQSwitch.5'
        option ipaddr '172.16.5.1'
        option netmask '255.255.255.0'
        option defaultroute '0'

config interface 'Int10'
        option proto 'static'
        option device 'DotQSwitch.10'
        option ipaddr '172.16.10.1'
        option netmask '255.255.255.0'

config interface 'Int15'
        option proto 'static'
        option device 'DotQSwitch.15'
        option ipaddr '172.16.15.1'
        option netmask '255.255.255.0'

config interface 'Int20'
        option proto 'static'
        option device 'DotQSwitch.20'
        option ipaddr '172.16.20.1'
        option netmask '255.255.255.0'

config interface 'Int25'
        option proto 'static'
        option device 'DotQSwitch.25'
        option ipaddr '172.16.25.1'
        option netmask '255.255.255.0'

config wireguard_wg0 'wgpeer_wg0'
        option persistent_keepalive '60'
        option route_allowed_ips '1'
        option endpoint_host 'redacted.com'
        option public_key 'redacted'
        option endpoint_port 'redacted'
        list allowed_ips '172.24.0.2/32'
        list allowed_ips '172.24.0.0/13'
        list allowed_ips '10.200.200.10/32'

config interface 'wg0'
        option listen_port 'redacted'
        option mtu '1420'
        option proto 'wireguard'
        option nohostroute '0'
        option private_key 'redacted'
        list addresses '172.24.0.5/32'

etc/config/firewall

cat /etc/config/firewall

config defaults 'defaults'
        option output 'ACCEPT'
        option synflood_protect '1'
        option input 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone 'zone2'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option name 'wan'
        option output 'ACCEPT'
        option log '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule 'rule1'
        option dest_port '68'
        option family 'ipv4'
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule2'
        option family 'ipv4'
        option icmp_type 'echo-request'
        option name 'Allow-Ping'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule3'
        option family 'ipv4'
        option name 'Allow-IGMP'
        option proto 'igmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule4'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src 'wan'
        option src_ip 'fc00::/6'
        option target 'ACCEPT'

config rule 'rule5'
        option family 'ipv6'
        option icmp_type '130/0 131/0 132/0 143/0'
        option name 'Allow-MLD'
        option proto 'icmp'
        option src 'wan'
        option src_ip 'fe80::/10'
        option target 'ACCEPT'

config rule 'rule6'
        option family 'ipv6'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'

config rule 'rule7'
        option dest '*'
        option family 'ipv6'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Forward'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'

config zone 'zone3'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'Int5'
        list network 'Int5'

config forwarding 'forwarding2'
        option dest 'wan'
        option src 'Int5'

config zone 'zone4'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'Int10'
        list network 'Int10'

config forwarding 'forwarding3'
        option dest 'wan'
        option src 'Int10'

config forwarding 'forwarding4'
        option src 'Int15'
        option dest 'Int5'

config forwarding 'forwarding5'
        option src 'Int15'
        option dest 'Int10'

config forwarding 'forwarding6'
        option dest 'wan'
        option src 'Int15'

config forwarding 'forwarding7'
        option dest 'Int15'
        option src 'Int5'

config forwarding 'forwarding8'
        option src 'Int10'
        option dest 'Int15'

config forwarding 'forwarding9'
        option dest 'Int5'
        option src 'Int10'

config zone 'zone5'
        option mtu_fix '1'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option name 'Int15'
        list network 'Int15'

config forwarding 'forwarding10'
        option dest 'Int10'
        option src 'Int5'

config forwarding 'forwarding11'
        option dest 'wan'
        option src 'Int20'

config forwarding 'forwarding12'
        option dest 'Int20'
        option src 'Int15'

config forwarding 'forwarding13'
        option dest 'Int20'
        option src 'Int5'

config zone 'zone6'
        option output 'ACCEPT'
        option mtu_fix '1'
        option name 'Int20'
        option log '1'
        option input 'REJECT'
        list network 'Int20'
        option forward 'ACCEPT'

config forwarding 'forwarding14'
        option dest 'Int20'
        option src 'Int10'

config forwarding 'forwarding15'
        option dest 'wan'
        option src 'Int25'

config forwarding 'forwarding16'
        option dest 'Int25'
        option src 'Int15'

config forwarding 'forwarding17'
        option dest 'Int25'
        option src 'Int5'

config rule 'rule10'
        option family 'ipv4'
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option src 'Int20'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule 'rule11'
        option family 'ipv4'
        option name 'Allow-Guest-DHCP-Renew'
        option proto 'udp'
        option src 'Int25'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule 'rule12'
        option dest_port '53'
        option name 'Allow-Guest-DNS'
        option src 'Int25'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'udp'

config rule 'rule13'
        option dest_port '53'
        option name 'Allow-Devices-DNS'
        option src 'Int20'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'udp'

config zone 'zone7'
        option output 'ACCEPT'
        option name 'Int25'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'Int25'

config forwarding 'forwarding18'
        option dest 'Int25'
        option src 'Int10'

config rule 'rule14'
        option dest_port '5353'
        option family 'ipv4'
        option name 'Allow-MDNS-HS'
        option src_port '5353'
        option target 'ACCEPT'
        option src 'Int5'
        list dest_ip '224.0.0.251'
        list proto 'udp'

config rule 'rule15'
        option dest_port '5353'
        option family 'ipv4'
        option name 'Allow-MDNS-Devices'
        option src 'Int20'
        option src_port '5353'
        option target 'ACCEPT'
        list dest_ip '224.0.0.251'
        list proto 'udp'

config zone 'zone_38'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option name 'mgmtvpn'
        option output 'ACCEPT'
        list network 'wg0'

config rule 'rule_40'
        option dest_port '69 443'
        option name 'Allow-IDC-ICMP-AND-MANAGEMENT'
        option src 'mgmtvpn'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        list src_ip '172.24.0.2'
        list src_ip '172.24.0.5'

config forwarding 'forwarding_39'
        option dest 'mgmtvpn'
        option src 'Int5'

config rule
        option name 'Allow LPD'
        list proto 'tcp'
        option src 'Int20'
        option src_port '515'
        option dest 'Int5'
        option target 'ACCEPT'
        option family 'ipv4'

In that Allow LPD was added to support a printer on that network but lpd is tcp and I thought

ct state established,related accept comment "!fw4: Allow forwarded established and related flows"

Would allow the return traffic to happen.