As I enabled Peplink Bonjour Forwarding (Network → LAN → Network Settings → Bonjour Forwarding Settings), no separate firewall rules to forward Ports UDP:1900 (Bonjour, UPnP), UDP:5350 + UDP:5351 (both NAT Port Mapping) and 5353 (mDNS) are needed from IOT/Homekit VLAN (VLAN 210 in my example) to my untagged LAN.
I testet around quite a while with more specific firewall settings (considering Ports used by Apple products) between IOT VLAN and untagged LAN to restrict Homekit traffic to pinholes.
Finally my conclusion is, that is not really working to restrict traffic to certain ports like APNS, HTTPS, HTTP, HomeKit, 3722, etc. as Apple is using a whole bunch of other ports as well. So I ended up in reducing the traffic to a restrictively defined ACL / Network group of devices in both networks that need to communicate with each other. Therefore like @soylentgreen I ended up granting a single firewall rule to allow ANY ↔ ANY communication between both groups. (https://forum.peplink.com/t/homekit-vlan-guest-wifi-setup-for-iot-security-on-peplink-balance-one/25515/8?u=ckirch) 