Ping between subnets fails inconsistently

I am trying to add a "local-only" subnet to my DD-WRT setup to prevent wireless devices from "phoning home". This "local only" subnet should still be able to connect to the main local network, but not to the internet.
The main network (ath0, eth0) is bridged on br0 on 192.168.254.0/24 and I have added a VLAN (ath0.2), with the address range 192.168.101.0/24 assigned.
DD-WRT uses dnsmasq as a DHCP server. The setup seems to be OK, since I see IP addresses being assigned in the correct address ranges depending on the WLAN used. The file /tmp/dnsmasq.leases shows IP addresses from both subnets and the associated MAC addresses. Forwarding is enabled for the kernel and all involved interfaces. I have added rules to iptables to allow forwarding between both the interfaces br0 and ath0.2 and between the two ip address ranges.
iptables -I FORWARD -i ath0.2 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o ath0.2 -j ACCEPT
iptables -I FORWARD -s 192.168.254.0/24 -d 192.168.101.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -d 192.168.254.0/24 -j ACCEPT
I have connected PCs to both the main and the "local only" subnet and can ping between both PCs.
The other devices on the "local only" subnet can not be pinged from the main network, with an error returned from the gateway: Reply from 192.168.254.253: Destination host unreachable.. The same devices respond to pings from the PC in the "local only" network. (other connection types, e. g. HTTP work and fail like ping does)

Here’s the working/not working ping overview:

• Main network PC -> Local only PC YES
• Local only PC -> Main network PC YES
• Local only PC -> Local only device YES
• Main netwwork PC -> Local only device NO

When connecting directly to the gateway via SSH, the same response: The "local only" PC responds to pings, but the other devices don’t. How can ping fail when dnsmasq is able to assign ip addresses?

EDIT: 192.168.254.253 is the gateway for the main network. 192.168.101.0 is the gateway for the "local only" network. I understand that DHCP working has nothing to do with the pings not working, it’s just that obviously the IP addresses and the MAC addresses of the involved devices are known to the router, but somehow no route is found to only some devices on the "local only" network. I’m not familiar with TCPdump, but I can use wireshark on the PCs.
ip route get 192.168.101.XXX to both the reachable and unreachable devices results in
192.168.101.XXX dev ath0.2 src 192.168.101.0