Edit : I meant 192.168.1/24 below in the question.
Is something being done incorrectly?
so for sure and IMO you've done something I consider unorthodox. You've configed 1/2/1 as dual-mode 2 <== that's vlan id 2
and configured 1/2/1 as a tagged member of vlan 2.
A couple of suggestions first and others may differ:
simpler is better.
Don't shoot for the moon on your first config. Get the basics working correctly and then augment/add on to it.
Try and maintain configuration parity / purpose between the devices in your network stack. I say this because you mentioned spinning up VLAN 2 in your router/firewall and different IP's I'm not sure as to the purpose.
For example if you are using specific vlans in the swtich but not in the router don't re-use them in the router. It may get confusing...
Double check your router configuration. You've provided a puzzle - but only have the pieces. I'm not saying post the router config ... just make sure you don't have a typo in there.
tag your trunks, don't mix untagged and tagged unles you ABSOLUTELY have to do so.
simple devices should be untagged.
Routed connections can be untagged - IMO either use all tagged (with sub interfaces) or untagged (simpler) for routed connections. Make a mistake with tag/untag at the same and everything stops working or behaves oddly.
Observations:
Yes, something is off. you should not have to make port 1/2/1 a tagged member of all those vlans.
If you get one VLAN to work correctly then they will all work correctly.
Question:
You aren't using 192.168.1/24 anywhere else? It is only being used for the transit VLAN between your switch and your router?
if you are I recommend changing the subnet on your transit vlan to something that is not used anywhere else.
Reminder:
In order for a VE to come up you need at least one active port that is a member of that VLAN.
troubleshooting suggestions:
save yoru config, strip it down to basics, and start with say the transit vlan.
Assuming you have NAT properly configured the switch IP should be able to ping out/traceroute out to the Internetwebs.
Don't use dual-mode on your transit port, just make it an untagged member of that vlan.
Once that works add another vlan, get it working with a static IP first.
Once that works add your DHCP helper and make sure as stated before that the def gw is the VE interface for that subnet and the helper IP is the IP of your DHCP server (which appears to be your router/firewall).
After your first access vlan is working just clone the config, changig out the def gw in the DHCP scope for the appropriate subnet of that vlan