The WAN part (ether1) is pretty fine right now. It’s the LAN part (ether2-5) which lacks a little bit of configuration.
When you set bridge with vlan-filtering=yes, it actually starts to perform VLAN-related tasks. One of them is tagging/untagging frames passing bridge ports. Ezher2-5 (as per defsult which you dud not change) are untagged ports of VLAN 1 (pvid=1), but your bridge expects to work with VLANs 30 and 31. So try to set one of ether2-5 ports to pvid=30, then enable vlan-filtering and see if device, connected to that port can communicate with internet.
Beware that you don’t have any firewall hence both router and LAN devices will be exposed to possible attacks when connected to ONT (unless your ISP runs a firewall for you). Having WAN address of 10.x.y.z means ISP does NAT (again), but that doesn’t make your router nor LAN safe.