As far I as I understand that is not possible but perhaps there is a misconception comparing swconfig and DSA.
port 5 represents a CPU port (physical lane to the switch chip). If you mean
by that then it is no longer required.
My understanding of how 802.1q tagging works (and I will stand corrected if that is wrong/incomplete)
-
a tagged port is going to output all traffic if part of the VLAN with vlan tag left intact
-
a tagged port will accept all tagged traffic with vlan tags which the port is a member of
-
a tagged port will output traffic matching is PVID without a vlan tag
-
a tagged port will put any incoming untagged traffic into the vlan matching it’s PVID
-
a untagged port will only output traffic of the vlan matching it’s PVID and the traffic will be without a VLAN tag
-
a untagged port will only accept traffic without a vlan tag and will put it into the VLAN matching it’s PVID
In that spirit (meaning an untagged packet on ingress cannot get tagged on egress on the same port) try
- remove the {downstream iface}.tagged from the network conf
and instead from cli
bridge v a dev br-lan self vid 11 untagged pvid
bridge v a dev lan0 vid 11 untagged pvid
sysctl -w /sys/class/net/br-lan/bridge/vlan_filtering=1
bridge v s will show applied settings