Welcome to the wonderful world of "vlan trunking"! You should ignore the web UI when setting up VLANs. That dang UI caused me nothing but problems. I had to factory reset then define all the vlans with nvram settings. Do take note that there are no dots (.) in the nvram variable names, that's a search expression. A grep for "port.*vlan" will search for "port<anything>vlan".
For trunking, I found it necessary to tag both the wired ports and the cpu port in dd-wrt. Like you, I had a mix of tagged and untagged vlans on a single port. Here's how you would setup port 1 as a trunk for vlan1 (untagged/default) and vlan3 (tagged):
nvram set vlan1ports="1 2 3 4 8t*"
nvram set vlan2ports="0 8t"
nvram set vlan3ports="1t 8t"
nvram set vlan3hwname=et0
nvram set port5vlans="1 2 3 16"
nvram set trunking=1
nvram commit
reboot
16=tagged, t=tagged, *=default
Now create a new bridge and add vlan3 in Setup->Networking, and update your dnsmasq configuration to give it address ranges, just like br0 does for vlan1. Once all that's done, it's just a firewalling problem. _________________ [Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
That Switched_Ports Wiki is indeed a great primer on VLANs. The last section on VLAN trunking describes exactly what OP is attempting to do:
Quote:
create a default VLAN (untagged VLAN on a trunk port) which is not possible at all in the GUI even if the GUI works for your model
Unfortunately it doesn't mention tagging the CPU port, though doing so might be a Broadcom quirk. The wiki didn't quite teach me to fish, but it taught me to cast like the wind!
The final piece of the puzzle was an unanswered 5-year-old thread WRT610nv2 DDwrt VLAN. It talks about the /proc/switch/eth0/vlan/*/ports files produced by the broken UI. Looking at them it seems the CPU port gets tagged on all the vlans when trunking. This led me to muck around with the trunking and vlanXports settings to arrive at the working combination I posted above. _________________ [Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
Welcome to the wonderful world of "vlan trunking"! You should ignore the web UI when setting up VLANs. That dang UI caused me nothing but problems. I had to factory reset 
then define all the vlans with nvram settings. Do take note that there are no dots (.) in the nvram variable names, that's a search expression. A grep for "port.*vlan" will search for "port<anything>vlan".