I have been working on my home server for the last few days and wanted to put all services that are accessible from outside into their own VLAN (something like a DMZ).

In my OpenWrt router I have defined another port as VLAN3 with the IP range 10.0.0.1/24.
My local LAN for PCs, WLAN etc. is VLAN1.

VLAN1 192.168.1.0/24-->VLAN3 10.0.0.1/24    works
VLAN3-->VLAN1                               no connection, thats right
VLAN1-->WAN                                 works
VLAN3-->WAN                                 works

VLAN3 then contains all LXC containers/VMs that should be accessible from outside, e.g. NginX, Jellyfin, qBit etc.
But now I have the problem that as soon as I start Wireguard in my qBit container, the entire container is no longer accessible via VLAN1.
Locally in the same network (VLAN3 10.0.0.1/24 it is available and can be pinged).

As soon as I deactivate Wireguard again, the container is also accessible or pingable again via VLAN1.
So it should be due to the Wireguard config.

In the Wireguard config I have already tried to enable the network range 10.0.0.1/24 via AllowedIPs. However, this only bypasses the Wireguard server and I communicate with the outside world via my real external IP address.
Allowing the ips from VLAN1 (192.168.1.0/24) did not lead to the desired result either

Wireguard

[Interface]

PrivateKey = redacted
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = redacted
AllowedIPs = 0.0.0.0/0
Endpoint = 194.126.177.7:51820

OpenWrt

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config device
        option name 'eth0.2'
        option macaddr 'redacted'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask 'redacted'
        option gateway 'redacted'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 3 4 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'
        option description 'DMZ'

config interface 'DMZ'
        option proto 'static'
        option device 'eth0.3'
        option gateway '192.168.1.1'
        list ipaddr '10.0.0.1/24'