I took out my own re-450v2. It’s running snapshot from this week. (march 15, 2023).
First just delete lan interface and br-lan. Then basically do this:
Then create your ssids and bridge them to the various admin/guest/iot interfaces.
On my spare Wndr3700v5 router i removed lan4 from br-lan.
Set up a new bridge ‘mainbridge’, added lan4, did vlan filtering as above.
Set up admin/guest/iot interfaces bridged with mainbridge.10 , mainbridge.20, mainbridge.30. Activated dhcp on each of the interfaces and added them to their respective firewall zones. (I guess you already, know but you have to add new traffic rules for dhcp to work if they’re not using the default ‘lan’ zone. However, for my quick test I just added them all to the out-of-the-box ‘lan’ zone to check out the basic proof of concept.)
Then I plugged an ethernet cable from re-450v2 to lan4 on my wndr3700v5. When I tried connecting my iphone to the various admin/guest/iot SSIDs from re-450v2, it worked fine: I got an a dhcp address in the correct subnets.
As you can see, I set the interface addresses on the re-450v2 to 192.168.10.2 etc. obviously you can just set these interfaces to unmanaged when you know everythings working fine.
You can also create separate bridge devices on main router and/or re-450 and add the resulting vlans (aka mainbridge.10/20/30) and then add those bridges to the interfaces instead of selecting the vlan directly if you somehow needed the extra options from the bridge interface, like igmp snooping and so on, but it's usually not needed.
Regarding your specific example (your drawing), you cannot use untagged together with tagged (at least not with the vlan filtering method). Instead just add 1 more vlan. However, In your main router, you can bridge/add that vlan to your "normal" bridge.