Bridging VLANs

Use case: one router two dumb APs. dumb APs used as guest network both on WiFi and wired (4 ports).
I want any guest being isolated from each others.

From various post on this forum I understood I have to set up one separated VLan for each wired port and wifi interface and then tied them together in a bridge device forming the guest network structure. The interface attached to bridge device will be the common DHCP server of the guest network.

I've tried a basic exercise using v22.03 on the targetted router

2 Basic bridges br-lan port 1 and 2 on Lan interface for administration, and br-invite port 3 and 4 on Invite interface (proper FW zone and rule allow DHCP and internet connection of Invite network PC clients connected to port 3 and 4).
No Vlan yet, it works well, network config is as follow

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'invite'
        option proto 'static'
        option device 'br-invite'
        option ipaddr '172.16.19.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-invite'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'

Then I try to set up VLANs on the br-invite bridge. Going to Network->Devices->br-invite->Configure
tick enable VLAN
add 2 Vlans 13 and 14 respectivelly untagged* on port 3 and 4
save and apply
I was assuming to have no change except no more communication between PCs connected to port 3 and 4
unfortunatelly I no longer have connectivity to internet nor receiving DHCP (tcpdump show that bootp initial request get no answer while FW traffic monitor of invite zone show no reject)

network config is as follow

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'invite'
        option proto 'static'
        option device 'br-invite'
        option ipaddr '172.16.19.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-invite'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'

config bridge-vlan
        option device 'br-invite'
        option vlan '13'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-invite'
        option vlan '14'
        list ports 'lan4:u*'

I've also tried to add network interfaces (proto 'none') to each VLan without success.

I donnot see what I'm missing. Can somebody tell me what I'm doing wrong?
THX

What you're trying won't achieve that. You can (with some difficulty) prevent hardware switching between two Ethernet ports, but then if you place them in the same network they'd be software bridged together again, which has the same effect as hardware switching only slightly slower.

A general note here if you aren't needing 802.1Q tagged packets on any hardware port, you can just refer to the (untagged) ports by their names in networks or bridges, and don't bridge any together that you want to stay isolated.

If you do need tagged hardware packets, DSA still seems to work best to declare a single bridge with all the ports in it, then separate networks with bridge-vlans within that single bridge. To attach a network to one of the VLANs, use option device br-lan.N with N the VLAN number. That is what you did not do in your configuration. There's an option device br-invite with no number, and since everything inside that bridge is now VLANd, the traffic won't reach that interface.

What you're trying won't achieve that. You can (with some difficulty) prevent hardware switching between two Ethernet ports, but then if you place them in the same network they'd be software bridged together again, which has the same effect as hardware switching only slightly slower.

Fron different post. Using VLans bridged on the same interface with the bridge forward controlled using br-netfilter allows
a) Use of Vlan gives full separation of dumb AP ports + WIFi as well as connection back to the router via a single trunk port
b) All Vlan bridged on a single interface have same DHCP => same subnet (guest network)
c) Use of br-netfilter allow management of the forward within the bridge => bridged Vlan separation
Is it right?

A general note here if you aren't needing 802.1Q tagged packets on any hardware port, you can just refer to the (untagged) ports by their names in networks or bridges, and don't bridge any together that you want to stay isolated.

The previous network config were for configuration test only.
Remeber that my final config is one router+2dumb guest AP. If I want any Guest being isolated from the others there are 2x(4ports+2Wifi) to be isolated from each other and connected back to the router.
I donnot see any other way than using Vlans (one trunk per AP) and bridge them together forming the guest network
Is it right?

If you do need tagged hardware packets, DSA still seems to work best to declare a single bridge with all the ports in it, then separate networks with bridge-vlans within that single bridge. To attach a network to one of the VLANs, use option device br-lan.N with N the VLAN number. That is what you did not do in your configuration. There's an option device br-invite with no number, and since everything inside that bridge is now VLANd, the traffic won't reach that interface.

I was confused by the "bridge Vlan filtering". Now I understand that this is defining filtering Vlan function within the bridge but it doesn't bridge them in any manner. In case I need to bridge Vlan it must be made using an other bridge device which ports would be the Vlans previously created
As an example create Vlans in br-lan, br-lan.X, br-lan.Y... and then bridge them in br-invite which ports would be br-lan.X, br-lan.Y
Is it right?

Here after an example of the targetted config
br-lan.66 is the new LAN acces connected to port 1
br-lan.10 and 19 are for the router WLan0 and 1
br-lan.20 to 29 are for the first dumb AP (ports 1 to 4 and WLan0 and1)
port 3 and 4 are trunk for the 2 APs

Can we do that more simpler??

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxxxxxxx'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.66'
	option ipaddr '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'yyyyyyyyyyyyyyy'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '66'
	list ports 'lan1'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'Invite'
	option proto 'static'
	option device 'br-invite'
	option ipaddr '172.16.19.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-invite'
	list ports 'br-lan.10'
	list ports 'br-lan.19'
	list ports 'br-lan.20'
	list ports 'br-lan.21'
	list ports 'br-lan.22'
	list ports 'br-lan.23'
	list ports 'br-lan.24'
	list ports 'br-lan.29'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '19'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '22'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '23'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '24'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '29'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'WLAN0'
	option proto 'none'
	option device 'br-lan.10'

config interface 'WLAN1'
	option proto 'none'
	option device 'br-lan.19'

In conventional networking, a VLAN is normally associated with a specific subnet. It's a one-to-one association. I'd recommend googling "router on a stick" to learn more how this works.

Personally, I wouldn't even think about configuring a VLAN without configuring an interface to route between the subnets/VLAN's. On all switches/routers I've worked with, you can configure a specific IP address for each VLAN.

Ok while i well understand what you say i don't see how it helps for my config
Any suggestion to establish my config? If vlan is not appropriate