Routing from VLAN blocked

Hi,

I just bought an EdgeRouter POE5 router, and I'm trying to configure it with a VLAN (for a guest wireless network).

I started with the WAN+2LAN2, connected the wireless access points to the second LAN (eth2-4) and then added a vlan on the switch0 interface. I configured IP address (192.168.3.1) for that VLAN and then adding a new DHCP server (for the 192.168.3.0/24 subnet).

I'm able to get an IP address when I connect to that VLAN, and other clients not on the VLAN are able to ping clients on the VLAN. However, everything on the vlan cannot communicate with anything not on the vlan. This sounds like a firewall issue, but trying to ping from the vlan to another client gave a message about not having a route to the destination.

I looked for options to add a routing rule, but I couldn't find anything that looked like what I wanted.

Below is my configuration.

Thanks,

Philip

interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output 48v
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description "Local 2"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 3 {
            address 192.168.3.1/24
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        shared-network-name VLAN3 {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                lease 86400
                start 192.168.3.10 {
                    stop 192.168.3.100
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
            listen-on switch0.3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}