Routing between 2 VLANs using non-default tables

I've got a few VLANs and would like to be able to reach a few hosts from one VLAN to the next. Supposedly this should work OOTB once the firewall is configured properly (I have forwardings setup between the two VLANs) but I think that my custom routing tables don't allow the routes to be automatically added. The custom routing tables routes all traffic on VLAN 2 to my wireguard interface (table 2) and VLAN 1 to wan (table 1).

Let's say I'm on VLAN 2 (br-vpn, 192.168.2.2) and would like to manually specify a route to a host on VLAN 1 (br-lan, 192.168.1.2), how would I do this? Create a third routing table, append a new route to table 2, etc.?

# uci show network; uci show firewall
network.globals=globals
network.globals.ula_prefix='ddc2:9aea:12b1::/48'
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.1.1'
network.lan.ip6assign='64'
network.lan.ip6ifaceid='::1'
network.lan.ip6hint='1'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.device='eth0'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='56'
network.wan6.device='eth0'
network.wan6.sourcefilter='0'
network.wireguard=interface
network.wireguard.proto='wireguard'
network.wireguard.private_key='redacted'
network.wireguard.addresses='redacted/32' 'redacted/128'
network.wireguard.delegate='0'
network.@wireguard_wireguard[0]=wireguard_wireguard
network.@wireguard_wireguard[0].persistent_keepalive='25'
network.@wireguard_wireguard[0].public_key='redacted'
network.@wireguard_wireguard[0].endpoint_host='redacted'
network.@wireguard_wireguard[0].description='redacted'
network.@wireguard_wireguard[0].endpoint_port='51820'
network.@wireguard_wireguard[0].allowed_ips='0.0.0.0/0' '::/0'
network.@wireguard_wireguard[0].route_allowed_ips='1'
network.vpn=interface
network.vpn.proto='static'
network.vpn.ipaddr='192.168.2.1'
network.vpn.netmask='255.255.255.0'
network.vpn.dns='193.138.218.74'
network.vpn.device='br-vpn'
network.vpn.ip6ifaceid='::1'
network.vpn.ip6class='local'
network.vpn.delegate='0'
network.dmz=interface
network.dmz.proto='static'
network.dmz.ipaddr='192.168.3.1'
network.dmz.netmask='255.255.255.0'
network.dmz.ip6assign='64'
network.dmz.ip6ifaceid='::1'
network.dmz.ip6hint='3'
network.dmz.device='br-dmz'
network.dmz.ip6class='wan6'
network.iot=interface
network.iot.proto='static'
network.iot.ipaddr='192.168.4.1'
network.iot.ip6assign='64'
network.iot.ip6hint='4'
network.iot.ip6ifaceid='::1'
network.iot.netmask='255.255.255.0'
network.iot.device='br-iot'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].stp='1'
network.@device[0].ports='eth1'
network.@device[1]=device
network.@device[1].name='br-vpn'
network.@device[1].type='bridge'
network.@device[1].ports='eth1.2'
network.@device[2]=device
network.@device[2].name='br-dmz'
network.@device[2].type='bridge'
network.@device[2].ports='eth1.3'
network.@device[3]=device
network.@device[3].name='br-iot'
network.@device[3].type='bridge'
network.@device[3].ports='eth1.4'
network.@route[0]=route
network.@route[0].interface='wan'
network.@route[0].target='0.0.0.0/0'
network.@route[0].table='1'
network.@route6[0]=route6
network.@route6[0].interface='wan6'
network.@route6[0].target='::/0'
network.@route6[0].table='1'
network.@route6[1]=route6
network.@route6[1].interface='wireguard'
network.@route6[1].target='::/0'
network.@route6[1].table='2'
network.@rule[0]=rule
network.@rule[0].in='lan'
network.@rule[0].lookup='1'
network.@rule6[0]=rule6
network.@rule6[0].in='lan'
network.@rule6[0].lookup='1'
network.@rule6[1]=rule6
network.@rule6[1].in='vpn'
network.@rule6[1].lookup='2'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='dmz' 'lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[2]=zone
firewall.@zone[2].name='iot'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='iot'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='vpn'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].network='vpn'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[4]=zone
firewall.@zone[4].name='wireguard'
firewall.@zone[4].input='REJECT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].masq='1'
firewall.@zone[4].mtu_fix='1'
firewall.@zone[4].network='wireguard'
firewall.@zone[4].masq6='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpn'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='iot'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='vpn'
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='vpn'
firewall.@forwarding[4].dest='wireguard'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='vpn'
firewall.@forwarding[5].dest='iot'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='iot'
firewall.@forwarding[6].dest='wireguard'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].src='iot'
firewall.@forwarding[7].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.@forwarding[8]=forwarding
firewall.@forwarding[8].src='lan'
firewall.@forwarding[8].dest='wireguard'

Usually, on the same physical network, you don't need additional routes on other routers/switches for vlan routing to work as long as you have a "central router" where you declared all vlans and assigned ip addresses to them and all workstations/devices has the default gateway that "central router".

Still, on specific situations, you can add additional routes to other devices/interfaces something like on router A: "ip class B/24 -> use gateway B" and on router B: "ip class A/24 -> use gateway A". You may need to adapt the firewall forwarding rules in case you have.

I don't use firewall on all the openwrt devices but only on the central router, but i believe if you don't specified Forwarding rules on these intermediary openwrt routers, the routing should work as soon as you declared the vlans on them.

It doesn't work in my case because I've already specified a route for all traffic on VLAN 2 to go through the wireguard interface and all traffic on VLAN1 to go to wan. In order to do this I added the following to /etc/config/network:

config rule
	option in 'vpn'
	option out 'lan'
	option dest '192.168.1.0/24'
	option lookup 'default'

This should put that specific traffic back on the default table and I'm once again able to connect to devices on the lan VLAN to the vpn VLAN.

If there's a better way, please someone chime in.