Hello
I have a somewhat understanding of VLANs and OpenWRT, but with the change to DSA I must admit I am a bit unsure if my way of doing it is the best and most correct way of doing it, therefore I'd like some advice on this setup.
The default for the OpenWRT router that I have is to have a bridge called br-lan for all the ports that are used for the internal network, and bridge called br-wan for the WAN ports. This seems to work as the default setting. The ISP that the device connects to has several VLANs, VLAN 10 for VOIP and management of the ISP devices, VLAN 11 for IPTV which is multicast, and VLAN 12 for internet access.
My solution was set all the ports in br-lan, remove the bridge br-wan, and then send everything untagged to the LAN ports on VLAN 1 while the WAN port gets tagged on both VLAN 11 and VLAN 12 (VLAN 10 isn't required as no VOIP service is used and the OpenWRT router wont be managed by the ISP). I assign wan and wan6 interfaces to br-lan.12 and make a new interface called IPTV assigned to br-lan.11. the local network interface gets assigned to br-lan.1.
This together with some firewall rules and an igmpproxy seems to work both for internet and IPTV (except some issues with IPv6 detailed in another post), but I am still unsure if this is the correct way to approach this, or if there is a better, more efficient and specially more secure way of setting it up, maybe even keeping both the bridge br-lan and br-wan separated while still making all of this work?
Any advice or suggestion is greatly appreciated 
