I’ll need to go through this on a bigger screen later on, but a couple things caught my eye:
option encryption 'psk2+tkip+ccmp'
First is that allowing TKIP is generally not needed for any reasonably modern client and it reduces the security of your wireless. Second is that it curiously is associated with your troublesome 150 SSID/VLAN. psk2+ccmp would be my recommendation here. That may clear everything up.
config interface 'ifvlan150'
option proto 'dhcp'
option type 'bridge'
option ifname 'eth1.150'
It’s strange to me to have the router’s IP address assigned by DHCP, if it needs one at all. If you’re bridging the wireless clients (and perhaps wired clients) on the VLANs to a network where other services and the default route exist, at least for me, there is no need for the bridge to have an IP address at all. My bridged interfaces used for AP-only functions generally end with
option proto 'none'
option auto '1'
option delegate '0'
delegate is somewhat undocumented, but as I recall it reduces the IPv6 IP assignment. It “works for me” in my applications. Its function can be traced down through /lib/netifd/proto/dhcp.sh
I do have a dedicated management VLAN for my boxes, with a static IP. None of my “in-production” OpenWrt boxes has outside Internet access. If your needs are different, you can chose an approach that suits your security requirements.
option channel 'auto'
This is a placebo. hostapd generally picks the lowest numbered channel and, as far as I know, never budges from it. Picking a channel with reduced interference often gives better results.
option _orig_ifname 'eth1 ath0 ath1'
option _orig_bridge 'true'
This is legacy temporary clutter, which can be removed. It was the way that LuCI saved previous settings. This temporary storage has been moved to another location on OpenWrt master, at least. Not a problem, but cleans up your files.