Illya,

For testing, I setup a rule which allowed all traffic from 192.168.1.1-255 to reach 192.168.3.1.255.  I was able to ping 192.168.3.100, but not reach it with an app.

Can you direct me to a resource to gain a better understanding of the nuances of access rules?

Also, how do access rules interact with interVLAN routing (if they do).

Thank you.

What do you mean by "not able to reach it with an app?  If you go to port management>VLAN Membership you can enable Device Management on one or all VLAN and then access a web interface for each VLAN IP which I believe is the SVI (switch virtual interface).  

Access lists between VLAN again makes sure you enable VLANs on the membership page and then enable Inter VLAN routing in the table for each VLAN.  I just did a little testing and if I enabled inter vlan routing on VLAN 8 but not on VLAN 1 and I can ping an IP on VLAN 8 from 1 but I can't ping from a device on VLAN 8 to a device on 1.  So if you want strictly one way traffic this might work for you.  Note that if you enable inter vlan routing it works immediately but it seems if your disable it you need to restart the router for that change to take affect.

Now if you want traffic to flow both ways you'll need inter vlan routing enable on both or all vlans and then in your access lists you can deny all traffic from one lan to another in both direction and then allow in other entries specifically for what protocols you want to pass.  I believe you'll need to put any allows before the deny all.  Packets will take the first open door they come to in the access list so if you have a deny all follow by an allow all I think packets will knock on the deny door first, get no answer and then knock on the allow door who will let them in.  I could be wrong but to me that would be the logical way run an access list, check every door for permission to enter instead of the first door that doesn't like you shoots and kills you although a deny all might be an immediate death sentence.  

I tried enabling interVLAN routing on VLAN3 and I'm unable to ping it from VLAN1.

When I add an access rule I am able to ping VLAN3 from VLAN1 with interVLAN routing disabled on all VLANs.  So it's not clear to me what interVLAN routing is enabling.

While I can ping VLAN3, an app on VLAN1 which is scanning for a device connected on VLAN3, does not find it.  Is it possible this is because the subnet mask for the devices on VLAN1 is 255.255.255.0 so the scan is only looking at VLAN1?  I've tried masks of 255.255.192.0 and 255.255.128.0 and they don't seem to make a difference.

I'm just a small business without an IT guy trying to have a secure network.  I've paid for a Cisco support contract.  Any help is appreciated.

Broadcasts are typical restricted to their vlans widening your net mask might help but I’ce never tried.  When you disabled your intervlan routing did you restart the router.  It seems like when you enable the router rewrites the routing tables immediately but when you disable them they don’t disable rewirite those tables until you restart.  Did you enable it on both vlans?  If your trying to do broadcasts or discovery across vlans you might need layer 3 switches and the features they offer.  I haven’t been able to do SSDP across vlans on the RV325 so I keep my iPads on the same vlan with the devices are that need to be discovered on a small subnet 255.255.255.192 and all other static devices that I want to access with out discovery on the other vlans to minimize and separate my broadcast domains.

I just did some tests and I've found that I don't need to restart the router at all.  My earlier problems were pinging the VLAN SVI 192.168.1.1, 192.168.20.1 or 192.168.30.1 as opposed to clients on those vlans. When I ping a client disabling or enabling inter vlan routing is instant affected when I click save.  

FYI, most true IT people will say VLANs are for security but to minimize and isolate broadcast domains but for regular folks like ourselves who aren't worried about the full weight of the the Russian IT department cracking our networks VLANs are a decent layer of security too.  Security through obscurity does work to some extent although saying that could put me in front of an IT firing squad.