I think you're getting close to the root of my problem.
Here's how I'm setting up br1 in my router:
* Assigned VLAN10 and w0.1 (per my previous post)
* Assign IP 192.168.10.2 with 255.255.255.0 subnet mask
* Setup virtual DHCP server for this bridge and set to DISABLE since my UTM will be DHCP server
UTM VLAN 10 has an IP of 192.168.10.1 and is setup as the DHCOP server.
Also, I setup a static route in DDWRT sending 192.168.10 traffic to the 192.168.10.1 gateway interface in UTM.
Seems like the VLAN 10 interface is successfully getting tagged some traffic.
tcpdump: listening on eth1.10, link-type EN10MB (Ethernet), capture size 65535 bytes
After trying various settings on multicast forwarding, SPI firewall - including the multicast checkbox - unfortunately, I've had not luck piping multiple tagged VLANS successfully into my UTM.
Was able to find an R7000 in my basement (sweet) and am now using both my R8500 and R7000 to act as separate wireless networks which my UTM manages directly. It's a lot of hardware but everything works great now not having to tag traffic.
Special thanks to Per Yngve Berg and bkaskar for all your time and help! Much appreciated!