Can't seem to get DHCP relay working across interfaces

Hello, I'm hoping someone can give me some pointers. I am trying to set up a new subnet, I have 3 NICs configured on XG, port1 is my WAN port, port2 is my normal everyday network (192.168.0.0/24) and port3 is the new port allocated to kids wifi on 192.168.10.0/24.

I have set up a DHCP relay to forward DHCP packets, which are hitting my DHCP servers (I am running failover), and the DHCP server responds with a DHCPOFFER packet, but it doesn't seem to reach the client (as it doesn't get an IP address and the DHCP server log doesn't show any REQUESTs coming in, just more DISCOVERs and OFFERs).

Here's a snippet from one of my DHCP servers on 192.168.0.37, you can see it received the discover via port3 interface (192.168.10.1) and replied:

Dec 9 19:33:24 prod-adonis-1 dhcpd: DHCPDISCOVER from 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:24 prod-adonis-1 dhcpd: DHCPOFFER on 192.168.10.150 to 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:39 prod-adonis-1 dhcpd: DHCPDISCOVER from 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:39 prod-adonis-1 dhcpd: DHCPOFFER on 192.168.10.150 to 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:49 prod-adonis-1 dhcpd: DHCPDISCOVER from 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:49 prod-adonis-1 dhcpd: DHCPOFFER on 192.168.10.150 to 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:51 prod-adonis-1 dhcpd: DHCPDISCOVER from 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:51 prod-adonis-1 dhcpd: DHCPOFFER on 192.168.10.150 to 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:54 prod-adonis-1 dhcpd: DHCPDISCOVER from 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1
Dec 9 19:33:54 prod-adonis-1 dhcpd: DHCPOFFER on 192.168.10.150 to 84:98:66:06:e1:67 (Galaxy-A5-2016) via 192.168.10.1

From the DHCP server I can ping the port3 interface ok:

root@prod-adonis-1:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.415 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.397 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.606 ms
^C
--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.397/0.472/0.606/0.097 ms
root@prod-adonis-1:~#

When I checked the f/w log I see DHCP packets from my DHCP servers are being dropped even though I have set up a firewall rule to allow all traffic:

So it seems the traffic from the client reached the DHCP server but the reply got dropped for some reason.

I originally had both port2 and port3 in the same zone (LAN) and just had a rule that allow source:LAN -> dest:LAN (allow)

But now I have put port3 into it's own zone (KIDS), and created two rules:

source:KIDS -> dest:LAN (allow)

source:LAN -> dest:KIDS (allow)

but I am still seeing the DHCP traffic getting dropped by the local ACL.

I am not running the DHCP server on XG as I have my own DHCP servers, I assume the DHCP relay doesn't need this to be running?

Anyone got any ideas as I have wasted hours on this and pretty sure it'll be something simple.

I am not running any DDoS, web protection, proxy etc.

Thanks.

Paul