I want one port to act like a switch

x86 4 ports openwrt box.

ISP MODEM -----> Port1 (eth0, wan) Openwrt -----> Port3,4 (eth2,3 lan ports)
----> Port2 (eth1, settop box)

Settop box requires a public ip.

Currently, I set br-wan (eth0, eth1) in Network -> device and get IPs from ISP by using br-wan as dhcp client in Network -> interface.

When I connect settop box to eth1 it gets public ip but no internet access.
To solve this, I restrict "Restrict Masquerading to given source subnets" in wan zone of Network -> Firewall to my lan subnet so that settop box can access internet.

Is there a better way?
I want something like isolating one port with IPTV settings on common routers.
I feel that the current configuration is somehow not elegant. lol