Yes you can move it - just interchange eth2 and lan4 so you get something like
config interface 'lan'
option ifname 'lan0 lan1 lan2 lan3 eth2.10'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option _turris_mode 'managed'
config interface '<other interface 1>'
option ifname 'eth2.11'
option type 'bridge'
option proto 'static'
option ipaddr '<other.interface1.ip.address>'
option netmask '255.255.255.0'
option delegate '0'
config interface '<other interface 2>'
option ifname 'eth2.12'
option type 'bridge'
option proto 'static'
option ipaddr '<other.interface2.ip.address>'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option ifname 'lan4'
option proto 'dhcp'
Adapt it to your needs and afterwards simply connect your ethernet cable for WAN to lan4-port and your cable for lan/<other interface 1>/<other interface 2> to WAN-port and do a /etc/init.d/network restart via SSH and you are done.
I did the same (actually I just changed interface names, VLAN-IDs and IP-adresses in the snippet above, yet I do not use WAN (as my TO is a dump but 
AP)). The ARP-issues should be gone as they are for me 
btw - this is also an example for a situation where direct invocation of DSA doesn’t give any benefit: The traffic from/to WAN is completely processed (as you do not have a VLAN-ID set here) by CPU and therefore there is no VLAN-tagged traffic that could be forwarded from one port to another without passing CPU (which would be handled like shown by @anon82920800 ->here)