I have connected a hap ac2 to a TL-SG105E smart switch.
There are 3 VLANS configured. The switch should get an IP address from the main vlan, which it initially usually does, but as soon as I plug in clients to the access ports on the switch it starts to get random IP addresses from all three VLAN DHCP servers. I've set the lease time to 10 sec, so I could figure out what's going on.

I disabled the DHCP client on the switch and configured a manual IP address on it 192.168.100.3.
After that everything seems to work as intended.
Now I'm trying to find out where I went wrong. I have read "the thread" about vlans and a pretty long list of posts.
Is it best practice to manually assign IPs to all the switches or is there a huge error in my config?

Router config: (I started with the default configuration and haven't touched the firewall yet) Switch config

For the TPLINK.
(1) Trunk ports-->the default pVID of 1, stays in place do not remove.
(2) Access ports--> the default pvid of 1 is changed to the PVID of the vlan that will be tagged entering the switch heading to router and untagged as traffic leaves switch heading to dumb device.
(3) Add the IP address of the TPLINK manually and then add that address to the MT DHCP Server Lease for the vlan and Make it static, (hint right now the mac address of the tplink you will need it).

Your table is confusing.
For starters you need to decide what you want , trunk, access or hybrid ports.
Trunk ports, one or more vlans flow in and out of the port, data coming from another smart device (that can read vlans) or going to another smart device that can read vlans.
Access ports, can only have ONE vlan associated with the port and the switch tags traffic coming from the dumb device and then removes the tag on return traffic to the dumb device.
Hybrid ports are rarer as few devices are setup to receive and deal with one or more tagged vlans and one untagged vlan)
Clearly 1 is a trunk ports, Ports 3,4 look like access ports maybe? and port 5 is not used ?? and port 2 is confused and is setup like a hybrid port.

( I think the error here is is on your vlan100 setting, it should only be a member of ports 1,3 and should not be tagged for port 2)

Please verify the usage of each port. I think this is where your issues lie!!
I believe port1 is coming from the MT device.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Looking at the MT device.

Your interface list can use work
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN {remove not required not used in your config}
add name=MGMT
/interface list member
add comment=defconf interface=bridge list=LAN { remove not required covered by vlans to list=LAN }
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=MGMT
add interface=main-vlan list=VLAN { not required not used }
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN

MISSING - which bridge port is GOING TO THE SWITCH ????

/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=101
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan1 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan2 pvid=100

You have a problem with ETHER5 as exposed by bridge vlans.
NOTE ABOVE you state only allow tagged frames with an access port setting of PVID-100 doesnt compute!! (problem1),

/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=\
ether2,ether3 vlan-ids=100 {if ether 5 was untagged for vlan 100 it would also be untagged on this line}
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether4 \
vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102

SO it appears you are using ether5 as a hybrid port to the switch???????
PROBLEM2

To fix this for ETHER5
bridge port
a. frame-types=only tagged keep, that is correct, (plus add ingress filtering for all bridge ports)
b. remove pvid of 100
bridge vlans (corrected)
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=\
ether2,ether3,wlan1,wlan22 vlan-ids=100
add bridge=bridge comment=iot-vlan tagged=bridge,ether5, untagged=ether4 \
vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102

Summary,
Vlan100 the home vlan will going through port 5 to the switch, along with vlans 101 and 102.
Vlan100 will also go out the two WLANs on the router and well as probably to PCs on ports 2,3
Vlan102 will also go out on the router to an iot device on port 4.

Thanks for all the suggestions. I started the above from a config I found online and perfected it in the last week with your help and some extensive googling.
The problem with these switches is apparently widely known so the solution is to disable the DHCP client on them and set up static IP addresses.

I also created a management LAN for the hap and switches and with a few firewall rules everything is kept apart nicely now.