There are different ways of doing it, but the proper (and extensible and future-proof) way is by setting up VLAN-enabled bridge on CCR.
Have a look at this tutorial on how to do it properly. There are a few use cases explained, I don’t think yours is directly one of them (some concepts of switch apply, also sone concepts of all-in-one apply). So here’s a brief description of how I’d tackle the problem:
WAN port will be set up as hybrid port, with VID 10 for mgmt and PVID set up (e.g. 666) for internet setvice.
LAN ports will be either hybrid with VID 10 tagged and PVID set up (e.g. 100) for LAN service.
Or they will be untagged (access ports) with PVID set up (either 10 for access to management subnet or 100 for LAN service)
Or they will be trunk with VLANs allowed set to whatever VLANs have to pass (e.g. for connecting core/edge switches)
bridge port has to be tagged member of all VLANs necessary. This means management VLAN andvall VLANS between which CCR needs to route (LAN, WAN).
you’ll create (at least) 3 vlan interfaces with vlan-id set to 10 (management interface), 100 (LAN interface) and 666 (WAN interface). Set up WAN interface the way ISP requires it (DHCP client or PPPoE client or static IP), set up LAN interface with appropriate LAN IP address and setvices (DHCP server), set up management interface with appropriate setup.
create firewall rules which will allow access to management interface only from management subnet (chain=input) and block routing between management and other networks (WAN in particular) (chain=forward)