SMB share as TimeMachine across subnets and firewall rules

General Discussion
1

I recently secured my home network a bit, putting clients in one VLAN and servers in another.
My TrueNAS server subsequently ended up in the servers VLAN (VLAN ID 100).
On said TrueNAS server, a run an SMB share as a TimeMachine for Mac backups. I have onlu one single Mac laptop in the clients network (VLAN ID 200).

As I blocked all traffic between the two VLANs in my firewall, this (among other things) no longer worked. So I opened a few specific ports, so needed things would work again. And everything did, except for TimeMachine.

The rule for TimeMachine opens ports 139, 445 and 584. TimeMachine from 200 to 100 does not work. Also, from a windows client in VLAN 200 I cannot not access the SMB share on the TrueNAS server. Running TestNetConnection gives this response (I modified the hostname and IP addresses):

PS C:\Users\andber> tnc truenas.local -p 445                                                                              
WARNING: TCP connect to (192.168.100.XXX : 445) failed
WARNING: Ping to 192.168.100.XXX failed with status: TimedOut

ComputerName           : truenas.local
RemoteAddress          : 192.168.100.XX
RemotePort             : 445
InterfaceAlias         : Ethernet 2
SourceAddress          : 192.168.200.XX
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

So, even though the port is opened in the firewall, it doesn´t seem to work. But here is when it gets interesting. Or weird.

Next thing I tried was to setup two more NICs on the TrueNAS server, one VLAN interface, on VLAN 200. And then a bridge interface, on top of the VLAN 200 one.
I gave the bridge interface an IP in the 200 span, and added it to my local DNS. In this subnet, it is called truenas.lan.

Now, with this in place, the same TestNetConnection gives this response:

PS C:\Users\andber> tnc truenas.local -p 445


ComputerName     : truenas.local
RemoteAddress    : 192.168.100.XX
RemotePort       : 445
InterfaceAlias   : Ethernet 2
SourceAddress    : 192.168.200.XX
TcpTestSucceeded : True

I do not understand why this works. If I remove the VLAN 200 NIC from the TrueNAS, it stops working.
If I remove the firewall rule allowing the ports 139, 445 and 584, pointing to the VLAN 100 NIC, it stops working

Is there an explanation for this? Am I missing something obvious? Is it impossible to acheive this without giving the TrueNAS a NIC in the client subnet for some reason?
Is there a best practice for this kind of stuff?