ok
then the first step is the creation of the vlans on the switch and on router2 (I recommend you to have only tagged traffic between the switch and router 2 and between the switch and the dump-aps)
ps: be careful you may find that you no longer have access to router 2 (in this example I created vlans for the three required zones)
show:
example:
vlan 10 = lan
vlan 20 = iot
vlan 30 = guest
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan4:t'
config interface 'lan'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'