I've decided to segment my IoT devices from the rest of the LAN. So I created a new interface and then a 2.4GHz vAP as well as a 5GHz vAP for this new zone and bridged them all together. I have one device that's wired on one of the router's switch ports (LAN4) that needs to be part of this new network. So I figured the best way was to create a vlan (vlan 3) and put that port/vlan into the bridge group. Since E0 us used for WAN trafffic and E1 is used for LAN traffic I figured I wanted to make this new vlan a logical interface off E1. Can someone who's done this before make sure I did this right and don't have any security holes? For VLAN3 does CPU eth1 need to be tagged or is that only if I have a switch off that interface and plan to put other wired IoT devices on the downstream switch?
Any VLAN that needs to be routed must connect to a CPU.
If you're referring to VLAN3 attached to Port4, it looks fine.
It's fine as long as your firewall rules are OK.
Makes sense regarding vlans that need to be routed. Thanks for the second pair of eyes.