Thanks, streaming is fine, it's the case once ports 3 & 4 are taken out of VLAN 1 (they are supposed to be members of VLAN 10 only) that streaming stops. I would have hoped that they could be taken out of VLAN 1, don't really want them on that particular VLAN. Does the VLAN assignments look ok to you?

@R1D2 

what's on ports 3 & 4? The LAG to the NAS? Nope 3 & 4 is to an AVR & Smart TV on VLAN 10 IoT. NAS is on LAG 1 (Ports 15 & 16)

I was wondering about the firewall rule (ports 50001 and ? Is it 50002?). What makes you sure the firewall rule for Inter-VLAN routing works? It seems that it does not work when you remove the NAS from VLAN 1 or did I mis-understand something here? According to the Synology document you need to allow also port 1900, right? Firewall is Okay. Log shows it working and only allowing VLAN 10 to VLAN 1 NAS, blocking other subnets (guest, gaming etc)

As for the ER VLAN settings:

eth1 is an access port which is untagged member of VLAN 1. Connected to OC200, right? Yip

eth2 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 200U. Connected to an EAP? Yip

eth3 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 99T, 200U. Also connected to an EAP? Yip

eth5 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 50T, 99T, 101T, 200U. Trunk to switch? Yip

As for the switch I can't see all assignments, e.g. for LAG1. The LAG config is done on the TP-LINK, I JUST DIDN'T SCREENSHOT LAG 1 buts its a tagged member of VLAN1

It would best to draw a network diagram showing only switch, NAS, VLANs 1 & 10, EAPs, mapped SSIDs, OC200 Management VLAN setting. Pretty basic, forget about the EAPs\OC200, that works fine. I only connect my IoT through wired ports (I designed the LAN when i built the house). All IoT are LAN wired (in VLAN10).

So (example - not my real IP ranges)

LAN1 10.1.1.0/24

LAN10 10.1.10.0/24

LAN1 NAS 10.1.1.58, DLNA service (LAG 1 tagged - member 15 & 16)

LAN10 AVR 10.1.10.30, DLNA Client (Port 3 untagged)

Trunk Port 17 to EdgeRouter 10.1.1.1 (DCHP service etc) - eth.5

TP-LINK Jetstream switch - 10.1.1.2

ALL these ports are connected on the switch not the EdgeRouter with the exception of the Trunk Port (17) , OC200 and two EAPs (these aren't the problem, all working, just NAS to IoT)

By the way I created pvid 200 as you once mentioned here to have non assigned traffic going to a an dummy VLAN, so did pvid 200 which doesn't have anything assigned)

For testing, I would remove the port limitation from the firewall rule. First, try to make a simplified setup working. It can be restricted later èn detail if things are working.

@R1D2 

Yeah, just removed one of the two aforementioned IoT devices from VLAN1, it stopped communicating to the NAS. I also then put it back in but blocked it at the firewall (removed from an 'allowed list' of devices), it also was then prevented in communicating, even though still in VLAN1. So i'd say the firewall rules work. Been playing around with this for ages and at a loss. However, work around is having those devices in both VLANs and it appears to work as intended, its just I hate things that dont work as intended and that means getting them off my VLAN1...lol

Ports have all been opened for DLNA and so forth.

@R1D2 

Still no luck with this. I'm wondering if the VLANs also require to be setup in the T2600 under L3 features-interface-interface config-Add, then add static IP mode to all of the VLANs that have been setup in the Edgerouter (which controls DHCP) Is this L3 feature also required along with creating the VLANs\Port Configs under L2 Features (which is obviously setup)? Not sure what it brings to the table by adding this L3 feature, since all devices already pick up their correct allocation to a VLAN.

Note my edgeswitch is the DHCP server.