I glad your are sorting things out. I'm somewhat lost as to what you're trying to do now, are your latest blocks of text 1 and 2 saying things work how you want?
There's no such thing as a trunk IP subnet. There's a private subnet per VLAN and the default LAN 'Primary Network' is what everything would use if you don't assign router LAN ports and don't explicitly configure devices to be on a VLAN: perhaps this is what you mean by truck IP subnet?
How to explain this?? You're in the UK, so... each road or part road (if it's a long one) has a post code (e.g. AB12 3CD) and each house on a road has a unique number or name: so house 47 on AB12 3CD can be uniquely identified with its number and post code. If the owners of the house decided to use 47 AB12 3CE then this would no longer be the same road and their post would end up somewhere else. The post code is analogous to the VLAN's subnet.
Each of the VLANs use a different subnet so that it is possible for the
RT2600ac to route between all its connected interfaces (WAN, LANs, VPNs, etc). Within each VLAN the local devices will get an IP address that is assigned from within that VLAN's subnet... this includes the router's interface that is on this VLAN: the router should be a.b.c.1 in all VLANs and VPN Plus service. The gateway setting of a VLAN's DHCP configuration should be the router's VLAN IP because this is the 'door' to get out of the VLAN to the wider world.
It's possible to use a DHCP server that is outside the current VLAN/subnet but that's outside the scope of the SRM DHCP services, except where you make an explicit client reservation and would have to do this for every device you connect in other VLANs... so not ideal. Also you would have to use DHCP relay to pass DHCP traffic between subnets. So forget this!
What you need is one DHCP server per VLAN and SRM does this, just be sure that you are not running another DHCP server as part of your TP-Link wireless setup as this will cause issues.
When you have devices assigned with IP addresses from their own VLAN subnet then the next thing you have to do is setup routing and firewall rules to allow the interaction you need. The RT2600ac will act as the gateway between all VLANs and also WAN. To have a VLAN accessible to others it must have its Isolation setting disabled, now you can configure firewall rules to allow and deny connects both VLAN A to B and also B to A, the rules can be different for each direction and you only have to add the initial client request direction: device N on B wants to access device X on A, for example.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A VLAN does not have to be associated to a subnet: a VLAN is a software mechanism to identify and separate packets so that switches and routers associate them with selected interfaces. But usually they are used to facilitate routing and handling of different subnets using the same physical hardware. In this case it's normal to consider a VLAN and subnetting together.
Within SRM there is an association between VLANs and subnets, to give you private zones on your internet network so that you can treat different classes of device / user with the appropriate authentication and security policy.
[In SRM] I don't know if it is possible to use a single subnet across VLANs, and then use firewall policies to limit access based on VLAN... I bet it's not possible.