Thanks for the quick answer, however setting up like this
doesn't work: I can't ping the router from my computer (on LAN1) and the phone doesn't work.
May it be related to the MT76 and how the CPU port is treated (there is just one big eth0 interface and also the WAN is DSA managed).
Before you click save & apply, you have to also set your LAN interface's device to br-lan.1.
Ok, by doing that I can access the router.
However, it doesn't solve the "problem". I'll give some more details.
The VoIP device expects tagged traffic on vlan 5 and unfortunately there is no way to access the management page to modify this setting. VoIP credentials of my ISP, however, work even without the tag (I can set up Linphone on my Mac and phone using the normal - untagged - internet). So I wanted to reuse without using the 5-tag on the WAN.
So in 19.07, I created a eth0.5 interface and bridged it to eth0.1 interface, so that the ATA box could receive the DHCP setting from the router and be pingable from other hosts in the LAN. The bridge automatically added and removed vlan tags to and from the ATA box.
I know that I could set up another bridge interface on the other VLAN and set up a new DHCP server, but my goal was to have a single one on the same subnet and just "remove "the vlan tag from the box.
The setting was the following:
config interface 'lan'
option type 'bridge'
option proto 'static'
....
option ifname 'eth0.1 eth0.5'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 0 1 2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '5'
option ports '6t 3t'
I can't get the same result in 21.02. I can use a different dhcp server on br-lan.5 of course to reach the ATA box; another option is to add lan4.5 to br-lan so I can have the box on the same subnet, but not reachable because the bridge itself is not able to correctly remove and add vlan tag (but on the forum i found out that it seems to be a problem of MT76, that the CPU port - eth0 - is not tagged).
To sum up, I don't really need a different VLAN scenario, just a way to remove the tag from the device when added to the bridge.
Thank you for taking time to read! 
Do you need the tagged VLAN 1 on the LAN side anyway?
If not, remove the VLAN 1, set lan1~3 to untagged in VLAN 5, and set LAN interface's device to br-lan.5.
I tried that as well and still it doesn't work.
I'm really starting to believe that there is a bug in the MT7530 switch, as if the packet is not sent over the bridge but directly on fabric without adding the tag, unfortunately I don't have other chipsets to try.
Thank you anyway
Hello, maybe you can help me with the following problem. Wi-Fi Access Point (WDS) doesn't work when VLAN filtering is enabled. I can connect to this AP. but don't have access to the network. When I set WiFi as a client (WDS) it works fine.
Could you post your configuration again?
Sure thing.
First of all I start with 19.07: I reflashed the router so to get the original behaviour.
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ifname 'eth0.1 eth0.5'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 0 1 2'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '100'
option ports '6t 4t'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '6t 3t'
option vid '5'
Now let's go to 21.02. Right now, the best way to have the voip device working is the following, that you don't approve of 
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4.5'
In this way, the voip box connects to the internet and works just fine. But when I try to do the same experiment as before, ping doesn't work and, funny thing, I don't see any traffic on br-lan.
Traffic doesn't seem to reach the bridge but is switched directly in fabric.
Using bridge vlan filtering causes a lot of problems, as described in other topics too:
MT7621 can not enable vlan_filtering on kernel 5.4 (where it is linked to the dual core nature of MT7621 and the fact that the fabric itself include the wan)
MT7621 bridged vlan with tagging not working properly Tagged host cannot ping untagged host (same device and situation from august 2020)
https://lore.kernel.org/netdev/E1jEB0y-0006iF-5g@rmk-PC.armlinux.org.uk/
The first bug you mentioned (MT7621 can not enable vlan_filtering on kernel 5.4) is already fixed.
The second does not use VLAN filtering at all.
Did you forget to set LAN device to br-lan.5? Without your VLAN filtering configuration, I can only guess..
Unfortunately I didn't forget, here is the config you suggested.
LAN started on br-lan.5
This kind of vlan filtering doesn't work, even if I use br-lan.1 or set the local flag.
Oh, you should also set PVID on LAN1~3.
any case it doesn't work
Ok, now I got it working! This is the setup:
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:t*'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
............
option device 'br-lan.5'
Still, I don't get why simply bridging different VLANs as in 19.07 (without putting everything on the same VLAN and without setting the PVID) doesn't work. Probably I'll have to dig deeper in the DSA architecture.
Thank you very much!
As of kernel 5.4, it is just not implemented. The software bridging fallback support for DSA is just added recently, and will be in kernel 5.15.
That explains everything. Thank you, have a nice day!!
Hi
Did you find a solution? I have a similar problem and don't get it running (Question: why can't I reach devices connected with bridge? - #7 by ne20002):
The ATA box from my ISP broke down and I bought another one that doesn't need the tagged interface.
There is no way in 21.02 to have the same behaviour as 19.07.
Thanks, this helped and now starts to make sense.
Apparantly now with DSA you have to specify VLAN ID to the virtual interface as well to bind it to the VLAN.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
