You can arrange with extra route, untagged br-lan.1234 goes to wan, then you add specific route to management subnet via that interface.
That is an advanced topic. Tagged and untagged on the same port doesn't always work. For now just set up the tagged VLANs and don't try to manage it.
Works on particular devices brainier AX54 cousin.
Protocol wise "not working" is a critical bug.
Understood (I hope, it's almost midnight 
).
Taking all suggestions into consideration, including ....
.. this would mean, if I'm not wrong, that we can use wan only with VLAN 10 and lan3 only with VLAN 20, which is a problem.
But... right now wan is working OK untagged + VLAN 10 and lan3 is working OK untagged + VLAN 20. The difference is this (if relevant): I did not use VLAN filtering but 802.1q devices.
See my network config file in the OP.
So I am keen to believe the ASUS will accept untagged + tagged on same bridge port (fingers crossed).
EDIT:
An idea could be to use VLAN 666 "untagged" for FWA modem management and VLAN 100 "untagged+primary" for lan interface and TP-link reachability, avoiding potential problems of DSA.
Would the tag 100 be removed on lan1/lan2/lan3 for egress traffic and viceversa ingress untagged traffic be added the tag 100?
If yes, configuration could look like this:
And the interfaces would map like this:
Internet (DHCP client to modem for Internet) ==> br-lan.10
Gestione (DHCP client to modem for management) ==> br-lan.666
VoIPtunnel (unmanaged) ==> br-lan.20
lan (static IP) ==> br-lan.100
EDIT:
Does it make sense? or am I misunderstanding something?
That is a hypothetical problem, place tagged and untagged together and check whether it works.
Yepp!!
Just please confirm my understanding of "untagged" and "primary VLAN" is correct (see the EDIT in my last post).
Tomorrow I shall be able to give it a try and report on outcome.
Thanks all and good night!
Hello again,
implemented the DSA configuration, all appeared OK but... I ran into a problem..
This is what I saw in the log once every second:
Mon Mar 2 16:31:00 2026 kern.warn kernel: [ 1571.071871] br0: received packet on wan with own address as source address (addr:02:00:00:00:00:ff, vlan:10)
VLAN 10 is only tagged on the wan interface of the bridge (now named br0).
Any possible cause which could generate this loop has been reviewed, including disconnecting lan3 (so the VX830v) and any other VLAN from wan, but no joy.
So after countless tests, I decided to take the step to disable STP from br0 and.. all seems to be working ok.
So looks like there is a problem with the FWA modem once the STP is enabled on the wan (as part of br0). The own address referred in the log should be the MAC address, according to Google searches.
I also modified firewall zones during the debug, but this is most likely unnecessary.
So this is the current "DSA compliant" configuration..
Since there's only 1 untagged VLAN in lan1, lan2 and wan, I did not use PVID just untag.
The VX830v wan port is configured with VLAN 20 (VoIP) and VLAN 100 (management).
The network config file follows. Private MAC addresses have been used during debug, again this is unnecessary (except you must have 3 different MACs for the FWA modem's DHCP server to work ok).
root@ASUS-STUDIO:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdef:9f6a:ecc7::/48'
option packet_steering '1'
config interface 'lan'
option device 'br0.100'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option force_link '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'lan1'
option ipv6 '0'
config device
option name 'lan2'
option ipv6 '0'
config device
option name 'lan3'
option ipv6 '0'
config device
option name 'phy0-ap0'
config device
option name 'phy1-ap0'
config device
option name 'wan'
option ipv6 '0'
option macaddr '02:00:00:00:00:FF'
config interface 'Internet'
option proto 'dhcp'
option device 'br0.10'
option hostname 'Internet'
option peerdns '0'
list dns '8.8.8.8'
list dns '1.1.1.1'
option delegate '0'
config interface 'Gestione'
option proto 'dhcp'
option device 'br0.666'
option hostname 'Gestione'
option defaultroute '0'
option peerdns '0'
option delegate '0'
config interface 'VoiPtunnel'
option proto 'none'
option device 'br0.20'
option defaultroute '0'
option delegate '0'
config device
option type 'bridge'
option name 'br0'
option macaddr '02:00:00:00:00:00'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config bridge-vlan
option device 'br0'
option vlan '10'
list ports 'wan:t'
config bridge-vlan
option device 'br0'
option vlan '20'
list ports 'lan3:t'
list ports 'wan:t'
config bridge-vlan
option device 'br0'
option vlan '100'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3:t'
config device
option name 'br0.10'
option type '8021q'
option ifname 'br0'
option vid '10'
option macaddr '02:00:00:00:00:0A'
option ipv6 '0'
config device
option name 'br0.20'
option type '8021q'
option ifname 'br0'
option vid '20'
option ipv6 '0'
option macaddr '02:00:00:00:00:14'
config device
option name 'br0.100'
option type '8021q'
option ifname 'br0'
option vid '100'
option macaddr '02:00:00:00:00:64'
option ipv6 '0'
config bridge-vlan
option device 'br0'
option vlan '666'
list ports 'wan'
config device
option name 'br0.666'
option type '8021q'
option ifname 'br0'
option vid '666'
option ipv6 '0'
option macaddr '02:00:00:00:02:9A'
EDIT: this is what the FWA modem shows:
A final note on DSA documentation.
IMHO it should be revised, since it is bound to OpenWRT 21 (including the excellent YT video by @onemarcfifty pointed out in the wiki), and the choices of VLAN filtering have changed since.
Just my opinion, but having the ability to set Egress / Ingress untag rather than just Untag was more flexible, but we'll take OpenWRT as it is (a great gift for all).
So let me know if you have any idea on why STP was generating the loop (rather than preventing it, quite interesting ).
As the wise say, "you are never too old to learn"
For the moment, thanks a lot !!