Vlan help new setup

I know people here are probably tired of people like myself asking for help with Vlans but! I need some help lol!

New install x86 platform running in a VM on Proxmox.

My device is the following https://www.amazon.com/gp/product/B0BCKVTTBQ/ref=ppx_yo_dt_b_asin_title_o03_s00?ie=UTF8&th=1

Port 1 is Wan
Port 2 is my PC
Port 3 is Unraid
Port 4 is Blank
Port 5 is Blank for now will be managed TP Link Omada Switch soon.
Port 6 is Moca adapter that connects a TP Link Omada AP in another room.

I know default setup has br-lan Bridge device that makes up my LAN of 192.x.x.x.

I want to create vlans for IoT and Kids and Guest. Vlan id 20 for kids, 21 for IoT and 22 Guest.

AP will have SSID's attached to LAN+VLANs.

Im unable to enable VLAN filtering on the default br-lan it just doesn't enable. I really just want default br-lan to listen for vlan tags if able, but doesn't appear it can? So how do I go about setting this up do I just create a new bridge network and add ports and enable filtering on it?

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x.x.x.xblablabla/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.200.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix 'auto'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '125'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac ''
        option ip '192.168.200.10'
        option name 'TCore' 

config host
        option name ''
        option dns '1'
        option mac ''
        option ip '192.168.200.2'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

What you semply need to do in your setup is vlan tag the port you want to be vlan taged in the briged interface so for example

Port2 (eth1) with a vlan tag with id 10 will be like this eth1.10 the thing afther the dot specifies the vlan on that interface and you are able to do multiple vlans on one interface so lets say

You want your Kids, iot and lan to the switch so you are able to set access ports for the vlans you can do

eth4.1 - lan
eth4.20 - kids
eth4.21 - iot
eth4.22 - guest

And put them as sepparete interfaces while they are actuali just a vlan taged port wich setup vlan for the switch to be able to acsess

Note: those vlan taged ports can be part of a brijed device so you can put multiple ports with vlans example:
eth1.1, eth4.1 wich alows access on ports 2 and 4 acsess to your lan

If this dosent awanser your question, you need to remove the port u want to have tags on from the brige and add it with its vlan tag like the examples above

Note: you can still leave the port it self to be untaged to your lan even if its taged with another lan but this is useful in some cases where you have ap's on unmanaged switches but with vlan support

I would like every port but wan to listen. So to do this do I need to make my lan a vlan?

If you want to? If you want you can run your lan untaged and run the other networks with vlan tags in case where you have unmanaged switch where are client of the lan and Ap wich needs to broadcast the guest network

In shorts not Required but Optional

If that helped you out, I would greatly appreciate it if you clicked the solution button.

Na im still trying to get it figured out and working

Seems to be working after removing the default br-lan and recreated it.