The main pitfalls were basically two things:

1. Not being aware of the fact that "sysctls are only read when the bridge interface is created, at boot or otherwise". That was quite a PITA since I created bridges and afterwards changed the relevant system tunables, deleted them and so on. Thats why my firewall rules never worked as expected. In order to avoid further collateral damage simply reboot after changing any system tunables.

Rule of thumb: "One does not simply setup a bridge without setting up system tunables beforehand!"

2. The settopbox didn't get an IP assigned by the DHCP server since relevant requests were blocked on the LAN1 interface. Fixed by a single rule:

IPv4 UDP 	LAN1 net 	68 	255.255.255.255 	67 	* 	none

As an exercise for myself I repeat the steps below.

Step 1: System Tunables

• net.link.bridge.pfil_member = 1 (default)
• net.link.bridge.pfil_bridge = 0 (default)

Step 2: Setup interfaces

• WAN0_VDSL (VLAN7)              -> PPPoE
• WAN0_IPTV (VLAN8)              -> DHCP (Class A private)
• LAN0                                      -> STATIC (Class A private)
• LAN1                                      -> NONE
• BR0_IPTV (LAN1, WAN0_IPTV) -> STATIC (Class B private/30)

Step 3: Setup DHCP server

• DHCP server running on BR0_IPTV

Step 4: Setup firewall rules
Important: All IGMP rules need "Allow IP options" to be enabled!

• LAN1

IPv4 UDP 	LAN1 net 	68 	255.255.255.255 	67       * 	none 	  	@Allow DHCP requests to pass
IPv4 IGMP 	* 	        * 	224.0.0.0/4 	        *        * 	none 	  	@Allow multicast traffic to pass
IPv4 UDP 	* 	        * 	239.255.255.250 	1900     * 	none 	  	@Allow SSDP requests to pass 

• WAN0_IPTV

IPv4 IGMP 	WAN0_IPTV net 	* 	224.0.0.0/4 	         *       * 	none 	  	@Allow multicast traffic to pass
IPv4 UDP 	87.141.215.251 	4000 	* 	                 10000 	 * 	none 	  	@Allow to "form" RTP streams

• BR0_IPTV

IPv4 TCP/UDP 	BR0_IPTV net 	* 	* 	                  * 	* 	none 	  	@Allow any TCP/UDP requests to pass

So long