what is normal port isolation ? i have only worked with ciscos private vlans , and they
use subdivided vlans within a primary vlan for the functionality inside the switch.
and switches that use PVID to configure same thing (async vlan)
which openwrt seems to belong to like linksys and netgear ?
port isolation seems like TP-link concept ?
I don't know if it applies to other vendors, but yes, my TP-Link T1600G-28PS has port isolation as one of its features.
Explanation about the private vlans.
In a nutshell, you can create secondary vlans with promiscious, isolated, and community ports. The promiscious can communicate with all other ports, while the community only with other ports of the same community.
Given the small amount of ports available on routers, this feature was not developed particularly. Maybe now that some managed switches are supported it will become a feature. Still, it is accommodating very specific scenarios and the same functionality can be achieved with intervlan routing and firewall rules.
i have tried configure this by using latest opewrt 21.0.2 but it doesnt work
i dont know why ..
First i configured 1 -3 ports in separated VLANs
first image does not look like 21.0.2.
second you need to do everything under br-lan ,
and not create bridges under every lan port.
third pay attention to image in "dsa and pvid usage examples"
first image from 21.02.1 Network-Switch i configured VLANs for diffrent ports
Now i am trying to configure all the VLANs under br-lan
Shame i didnt notice PVID setiings on the image, thanks for noticing
and now it is like this
But when i applay settings i lost connection to my 1 VLAN where the local interface is
It is 21.02 if your device haven't migrated to DSA, then you have swconfig between the physical port and cpu and DSA between the cpu and openwrt network config.
At least that is how it is on the EAP245.
I really can’t say I am surprised.
How are the computer (router cpu) supposed to know what to do when your entire network multi vlan setup is untagged on every port?
To be honest your pictures doesn’t say anything and is only confusing.
Please show the network config file instead.
Did you remember to sync your new network settings with the dhcp and firewall settings?
You need to bridge eth ports , port1 port2 port3 , then enable vlan filtering under that bridge.
and do the vlan config in there , physcal ports on switch should be network devices
not vlans or other bridges.
seems you are creating vlans on eth0.X then bridging them under the bridge ,wrong sequence
reset, start fresh again , open br-lan , make sure your ports are showing up in
bridge ports section as port1 to 3, the go to bridge vlan filtering , make vlans and do the vlan-pvid setup there
ive resset all the setting
create VLANs on ports 1,2,3.
create Interfaces unmanaged put them in one zone
created new bridge and put all the ports in it
and still it doesnt work
etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb6:0b7c:505e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '8t 0'
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '8t 3'
config switch_vlan
option device 'switch0'
option ports '8t 2'
option vlan '20'
config switch_vlan
option device 'switch0'
option ports '8t 1'
option vlan '30'
config interface 'port1'
option proto 'none'
option device 'eth0.10'
config interface 'port2'
option proto 'none'
option device 'eth0.20'
config interface 'port3'
option proto 'none'
option device 'eth0.30'
config device
option type 'bridge'
option name 'new-br'
list ports 'eth0.10'
list ports 'eth0.20'
list ports 'eth0.30'
option bridge_empty '1'
config bridge-vlan
option device 'new-br'
list ports 'eth0.10:u*'
list ports 'eth0.20'
option vlan '10'
config bridge-vlan
option device 'new-br'
list ports 'eth0.10'
list ports 'eth0.20:u*'
list ports 'eth0.30'
option vlan '20'
config bridge-vlan
option device 'new-br'
list ports 'eth0.20'
list ports 'eth0.30:u*'
option vlan '30'
you should see eth0 eth1 eth2 etc.. in bridge , just use whatever is
there after reset , should be correct. 
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
option acceptlocal '1'
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
option ipv6 '0'
config device
option name 'br-lan.20'
option type '8021q'
option ifname 'br-lan'
option vid '20'
option ipv6 '0'
config device
option name 'br-lan.30'
option type '8021q'
option ifname 'br-lan'
option vid '30'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0:u*'
list ports 'eth1:u'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0:u'
list ports 'eth1:u*'
list ports 'eth2:u'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:u
list ports 'eth2:u*'And PS: as flygarn12 mentioned , first make sure the router you
are trying this with is on DSA not swconfig ,
you are trying to replicate DSA config after all
From the config and images , its looks like half and half.
Maybe you upgraded from 19.X or pre DSA config and kept
the config without a full reset , or something along the lines.