I have TP-Link RE450 (1 Eth port Wifi 2.4 and 5 GHz's).
I have created 2 wifi networks and main idea to make two vlan network for each wifi, but can't 
What I do wrong?
Confguration with VLAN on interfaces work fine (no VLAN filtering):
Please your config in text form
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
This is not DSA. The device has a single port Ethernet PHY not a switch. So the syntax eth0.N will cause packets tagged N to appear directly on the port. Do not make any bridge-vlans. Use separate ordinary bridges then attach each one to a VLAN on the port with list ports eth0.N.
Mixing tagged and untagged on the same cable is less certain to work especially with consumer grade equipment, and thus is not recommended. Tag all the networks with a unique VLAN number.
Creating an "admin" network with a dedicated wifi AP (no Ethernet) is useful during the setup in case the Ethernet is mis-configured you will still have access to the router.
This case work fine on this device. But I have like same device RE350 where this case not work. VLAN virtual devices not TX/RX any packets to Ethernet. RE350 don't have lan only eth0 (By the way! Why RE450 have lan over eth0?) and VLAN device eth0.77 don't work Created, but not work. I have wanted to test Bridge VLANs on RE450 (where VLANs work) and then copy this case to RE350. But....
I have Serial Console 
The RE350 is a lot different than the RE450. The 350 has a SoC with an internal switch which is always in the data path. The switch has to be accounted for even though only one port is wired out physically.
I took out my own re-450v2. It’s running snapshot from this week. (march 15, 2023).
First just delete lan interface and br-lan. Then basically do this:
Then create your ssids and bridge them to the various admin/guest/iot interfaces.
On my spare Wndr3700v5 router i removed lan4 from br-lan.
Set up a new bridge ‘mainbridge’, added lan4, did vlan filtering as above.
Set up admin/guest/iot interfaces bridged with mainbridge.10 , mainbridge.20, mainbridge.30. Activated dhcp on each of the interfaces and added them to their respective firewall zones. (I guess you already, know but you have to add new traffic rules for dhcp to work if they’re not using the default ‘lan’ zone. However, for my quick test I just added them all to the out-of-the-box ‘lan’ zone to check out the basic proof of concept.)
Then I plugged an ethernet cable from re-450v2 to lan4 on my wndr3700v5. When I tried connecting my iphone to the various admin/guest/iot SSIDs from re-450v2, it worked fine: I got an a dhcp address in the correct subnets.
lastly:
As you can see, I set the interface addresses on the re-450v2 to 192.168.10.2 etc. obviously you can just set these interfaces to unmanaged when you know everythings working fine.
You can also create separate bridge devices on main router and/or re-450 and add the resulting vlans (aka mainbridge.10/20/30) and then add those bridges to the interfaces instead of selecting the vlan directly if you somehow needed the extra options from the bridge interface, like igmp snooping and so on, but it's usually not needed.
Regarding your specific example (your drawing), you cannot use untagged together with tagged (at least not with the vlan filtering method). Instead just add 1 more vlan. However, In your main router, you can bridge/add that vlan to your "normal" bridge.
It is really important to see the text config. It shows the whole story in one file.
as you can see from my config: ‘lan’ disappears when you remove lan interface and br-lan device. The ‘lan’ you’re talking about comes from the ‘lan’ interface. When removed, you’re left with eth0.
Thx. You way work fine!
Strange, but "VLAN way" with eth0.21 in bridge not work on this device.
OpenWrt 22.03.3 r20028-43d71ad93e
I'm not sure what you mean? work and then not work? eth0.21?
Software VLAN over eth0 -> f.e. VPID 21 -> eth0.21
Then Add eth0.21 to br-work. This way don't accept trafic, send but not accept.
Variant with VLAN bridge - work fine.
Maybe it would work if you deleted the default br-lan. you probably can't have eth0 bridged to anything and then make a software vlan out of it. I didn't test this. But at least for vlan bridging method you can't mix "disabled, aka no vlan" and tagged vlan on the same port. (your drawing says "untagged" but the other screenshots suggests that you really meant disabled as untagged would mean that the untagged traffic gets a PID in your case, and in any case it's just more clear and proper if you just tag everything.
