1) That's a holdover from the setup on my other router, but it makes sense to me. If the range is where the dynamically allocated addresses are coming from, it seems like a good idea to keep the fixed addresses separate. Even if the router won't accidentally hand out a fixed address to someone else because the normal owner isn't currently online it's handy to know that any IP in range X was dynamic. I.e. if all my "known" machines are given fixed IPs and I see an IP in the dynamic range in some error log somewhere, I immediately know that it was a friend's machine or even someone who broke into my wifi that caused the problem.
2) I'll double-check, but that's very weird. My network topology is pretty much identical to what it was pre-zentyal. I'm using the same IP ranges, the media server has the same IP it had before, and so does the laptop. So if the media server was only set to accept certain IPs/IP ranges before, those same IPs are what's in use now.
3) I don't have IPtables running on the media server so I'm pretty sure that's not it.
4) Yep, real switch mounted in the rack. SMCGS16 EZ - it's unmanaged and has no config that might have gotten messed up.