VLAN split off 3 of the 4 Ethernet ports to Hotspot

Firmware:
LEDE Reboot (17.01.4, r3560-79f57e422d)

++++++++++++++++++++
Hi there!

Router: Linksys WRT3200ACM

I have a system a "Hotspotsystem" that is up and running.

All is working, the hotspot is on the two wifi bands. (radio0 and radio1)

Malapascua 2,4 GHz
Malapascua-5G 5,0 GHz

4 LAN ports (ethernet RJ45) is NOT on the hotspot.

One first question:
Is it possible to configure the router via the terminal window as via GUI?
Where is the best?

REAL QUESTION:
I want to virtually split off 3 of the 4 Ethernet ports to be used for HotSpot purposes by ethernet cable.
The LAN1 and LAN2 and LAN3 should work in the same way that you log in via either of the two wifi channels. (No internet without login)
LAN4 Should, work as before for configuration throu ethernet cable to 192.168.1.1.

Only LAN 4 port will be separated and have same function as all LAN port has today.
Need help to add my configuration with VLAN3

Understand that I need to create a VLAN 3 that connects to the bridge "WIFI BRIDGE"

But I don´t know how to solw this.
Please Help
Regards

My configuration below:

root@LEDE:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'true'
        option ifname 'eth0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'

config interface 'wifi5g1'
        option proto 'none'
        option auto '1'
        option delegate '0'

config interface 'wifi'
        option proto 'none'
        option auto '1'
        option delegate '0'
        option _orig_ifname 'wlan1'
        option _orig_bridge 'false'

config interface 'wifi5g2'
        option proto 'none'
        option auto '1'
        option delegate '0'

config interface 'wifibridge'
        option type 'bridge'
        option proto 'none'
        option auto '1'
        option delegate '0'
        option _orig_ifname 'wlan1 wlan2'
        option _orig_bridge 'true'

++++++++++++++++++++++++++

root@LEDE:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

++++++++++++++++++++

root@LEDE:/etc/config# cat firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'DROP'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifi'
        option forward 'DROP'

config zone
        option name 'wifi5g1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifi5g1'
        option forward 'DROP'

config zone
        option name 'wifi5g2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifi5g2'
        option forward 'DROP'

config forwarding
        option dest 'wan'
        option src 'wifi'

config forwarding
        option dest 'wan'
        option src 'wifi5g1'

config forwarding
        option dest 'wan'
        option src 'wifi5g2'

config zone
        option name 'wifibridge'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifibridge'
        option forward 'DROP'

config forwarding
        option dest 'wan'
        option src 'wifibridge'

++++++++++++++++++++

root@LEDE:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option txpower '20'
        option disabled '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'none'
        option ssid 'MALAPASCUA-5G'
        option network 'wifi5g1 wifibridge'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option txpower '20'
        option country 'US'
        option channel '11'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'none'
        option ssid 'MALAPASCUA'
        option network 'WIFIBRIDGE wifi wifibridge'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option country 'US'
        option hwmode '11g'
        option htmode 'HT40'
        option channel '1'
        option txpower '22'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option mode 'ap'
        option encryption 'psk2+ccmp'
        option key '********'
        option ssid 'KING-LARS'
        option network 'WIFIBRIDGE lan wifi5g2'
        option disabled '1'

See: Separate subnet on physical port #4

This looks like you have a typical gigabit router (Archer C7 etc) with two CPU ports and everything going through a 7-port switch.

First you need to break eth0 into two VLANs through the switch, and tag them into the CPU (but untagged on the Ethernet cables). For example VLAN 1 could be 1 5t (assuming 5 is the CPU eth0) and VLAN 10 '2 3 4 5t' VLAN 2 continues to exist, its purpose is to connect the WAN Ethernet port to eth1.

Then change LAN to use eth0.1 and put eth0.10 into the bridge with the captive-portal wifi AP(s). Note that you don't specify wifi devices in /etc/config/network, instead you refer back to the network interface in /etc/config/wireless.