Actually, for AirPlay, i did need a FW rule from IoT to private default VLAN allowing responses from a group of IoT hosts defined as AirPlay targets.
My FW rules were set up on my original USG well before I got the UDM Pro. I haven’t had the inclination to re-jig the existing rule sets into traffic rules as suggested by UI in the screenshot.
Generally, IoT devices cannot access the private VLAN but the rule below allows them to respond to i-devices etc for AirPlay requests. IIRC, I gave up trying to identify all the port ranges to make the rule a bit tighter from a security point of view but it only allows replies to established and related traffic.
