Today I did some work to split up my default VLAN 0 to different VLANS and I moved my Synology server as first to VLAN 400.
Setup DHCP, etc. Incl some firewall rules to allow temporary access from the default VLAN to VLAN 400.
Will be more tidy off course, but because of limited time and WAF, I need todo it in small steps.
Everything works now. SMB for 1 client to the Synology and other ports for others. But....

Some invalid connection states can occur, and I'm not worried about, but the amount I'm seeing here is worrying me. The 8443 traffic is mainly Nextcloud Sync client traffic.
But it also happens on SSH traffic (port 22).
Besides the errors everything works, but when connecting over SSH it just doesn't seem to be very snappy during connection build up. So I think actually something is wrong.
Do you have any idea? Here's the config of my router (REMOVED). Work in progress

Figured it out myself. Turned out that I wasn't aware of the default allow behaviour of the firewall and was missing a forward drop at the end.
Now I added more rules the explicitly allow traffic and the errors went away.