On my ER605 I have a Cameras VLAN set up, which I have on the 192.168.5.0/24 IP range. I have a separate wireless TP-Link router as the 192.168.5.1 gateway on this port (one of the mesh routers, I forget the exact model) which I have all of my in-house cameras wirelessly connected to.

I also have OpenVPN set up on the ER605 to provide IPs on the 192.168.6.0/24 IP range, which seems to be working (after connecting to OpenVPN my device lists a 192.168.6.10 IP, I can get access to webpages while connected, and I see traffic for that IP in the Traffic Listings page), so that seems to be working fine.

My issue comes with getting the Access Control for this set up to work correctly. Something about this just doesn't seem to be clicking in my mind. My goal is to have all of the cameras be completely inaccessible from WAN and vice-versa, but accessible to devices connected via OpenVPN. To that end, I have this set of rules:

Camera_VLAN_Group = 192.168.5.0/24, OpenVPN_VLAN_Group = 192.168.6.0/24, and Chris_Machines is my desktop that I have on another port on the ER605, which shouldn't be impacting anything I'm asking about but I'm including the associated rules for completeness' sake.

I am very confused as to why this set of rules isn't working the way I think it should, which is to (1) allow traffic between the VPN and Camera VLANs and (2) prevent any WAN access for Camera. To be clear, part (2) is working, but part (1) is not; I do not have any access to the cameras on the OpenVPN connected device. It doesn't seem to matter which order I have these 4 rules in, the end result always is that the cameras have no access to WAN but the OpenVPN device has no connection to the cameras. I can access the cameras just fine if I change rules 5 and 6 to Allow instead of Block, but that obviously defeats the purpose.

I think my issue is just a fundamental misunderstanding of how these rules are supposed to work. Can someone give me a hand?