Can't connect Shelly to Homeassistant through different Sophos UTM VLANs

Hey everyone, 

i have a problem here which turns out to be my final boss.

What am I planning to do?

I run two Sophos UTM firewalls at home, a UTM 320 which manages the LAN and an SG115 which manages the WLAN.

I switched to VLAN operation, before that everything worked (of course).

Now the problem is, that my Home Assistant in the Management VLAN can ping the Shellys in the IoT WLAN, but I can't add them via the integration, it always tells me "connection failed". Do you have any ideas why this happens? My network structure below:

Sophos UTM 320 Rev. 5 in VLAN 100 (ManagementLAN, 192.168.100.0/24, 192.168.100.254)

Sophos SG 115 Rev. 3 in VLAN 100 (ManagementLAN, 192.168.100.0/24, 192.168.100.252)

Both devices have an interface in VLAN 100, and the SG115 has also an IP address in the IoTWLAN, as it is the gateway for the devices.

Sophos SG 115 Rev. 3 in VLAN 500 (IoTWLAN, 192.168.5.0/24, 192.168.5.254)

All Shellies are also in the aforementioned VLAN 500 and can be pinged by the Homeassistant in VLAN 100.

Homeassistant on Raspi (ManagementLAN, VID 100, 192.168.100.12)

I can access the web interface of the Homeassistant and the Shellies from my PC in VLAN 10 ("normal" LAN environment of the end devices with no task in the network, 192.168.10.0/24); the web filter release for HTTP traffic for Homeassistant and Shellies is already set up on both firewalls.

Since all devices can reach each other and there is a lot of traffic between the different VLANs (the firewall logs are green) I think routing is not the problem here.

What else could be important?

- Pi-Hole in VLAN 100 as DNS forwarder for all VLANS

- Central switch (Netgear GS724T) which connects all LAN devices. The trunk ports to which the firewall is connected as a LAG trunk all VLANs to ensure accessibility

- Shellies of the 1st to 3rd generation are in use. For the first generation, I have already changed the ColoT entry to 192.168.100.12:5683 (but still not accessible). Shellies of the 3rd generation do not require any further configuration, outbound websocket or something like that?

- IGMP snooping is deactivated on the switch. The internet is divided as to whether it should be on or off. I disabled it because it only optimizes multicast traffic and is not critical for accessibility itself.

- I cannot activate multicast routing because I cannot create two interfaces on the UTM 320 (ManagementLAN and IoTWLAN, because the IoTWLAN is located on the SG115)

- Do I need a NAT rule? In an old backup with the old config, all devices were in one network, no VLAN and only the SG115. I had the following DNAT rule active there: LAN -> Shelly service (port 5683) -> Firewall translate to: Homeassistant -> Shelly service (5683). Do I need a rule like this again and if, which rule on which firewall? Unfortunately, I no longer know why I created it back then.

- Firewall logs of the UTM320 show the requests from the Homeassistant to the Shelly, but they are grayed out with "Suspicious TCP status".

- Firewall logs of the SG115 do not show the requests from the Homeassistant to the Shelly

- Maybe MulticastDNS is the Problem here?

- The Home Assistant and the Shellies are runnning via HTTP internally

That should be it for now, I hope you can help me. Of course I could put the Home Assistant in the IoT network, but to be honest that would only be the last resort for me.

Thank you for your help!!