Sure, I'll explain a bit better. But I am now scared since you said "overwhelmed" :S
1. Device B (HAP AC3 AX), IP 192.168.25.3, is connected via RJ45 to Device A (RB4011 WiFi), IP 192.168.25.2.
2. Device B sits outside of the apartment (private storage room in the building) and is responsible for allowing access to Internet, plus comms with IoT WiFi devices and driving regular LAN/WiFi comms for devices in that room.
3. Device A is responsible for WAN access, plus regular LAN/WiFi and IoT WiFi.
4. Currently I do not have IoT WiFi segregated in its own VLAN (still have to find the time to dwell in mDNS and other important elements for Home Assistant to work properly with all my IoT devices)
5. VLAN10 (172.16.10.0/24) is used only for Hyper-V VMs, where I tag the VLAN ID for the respective interfaces where I want to just provide Internet access
6. Ether4 is where my Windows Server is connected to (which will have access to regular LAN and VMs to VLAN10)
6. 172.25.0.0/24 is the subnet for ZeroTier, which is configured in Device A (192.168.25.2)
Hopefully that provides a bit more clarity.
Thanks for your help!
Edit: This device has been working for quite some time now. The specific behavior I mentioned started happening recently, and IIRC, it started showing up after 7.13.
Edit 2: Re-did the whole VLAN configuration based on the post you mentioned. I hope I have interpreted it correctly. Also applied the necessary changes to Device A VLAN configuration.
[admin@Storage] > /export hide-sensitive
# 2024-01-02 17:48:20 by RouterOS 7.14beta4
# software id = Y5YP-7K50
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:2E:42:82 auto-mac=no comment=defconf ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Router LAN Port"
set [ find default-name=ether4 ] comment=DARKSTAR
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-mode=disabled
set 1 default-vlan-id=auto vlan-mode=disabled
set 2 default-vlan-id=auto vlan-mode=disabled
set 3 default-vlan-id=auto vlan-mode=disabled
set 4 default-vlan-id=auto vlan-mode=disabled
set 5 default-vlan-id=auto vlan-mode=disabled
/interface list
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=5ghz-ac disabled=no name=5GHz_AC_20_40_80MHz width=20/40/80mhz
add band=2ghz-n disabled=no name=2GHz_N_20_40MHz width=20/40mhz
/interface wifi datapath
add bridge=bridge disabled=no interface-list=LAN name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=WIFI wps=disable
add authentication-types=wpa2-psk disabled=no name="WIFI - IoT" wps=disable
/interface wifi configuration
add channel=5GHz_AC_20_40_80MHz channel.band=5ghz-ac .width=20/40/80mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg1 security=WIFI \
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=WIFI
add channel=2GHz_N_20_40MHz channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg2 \
security="WIFI - IoT" security.authentication-types=wpa2-psk .management-protection=disabled .wps=disable ssid="WIFI - IoT"
/interface wifi
set [ find default-name=wifi1 ] channel=2GHz_N_20_40MHz channel.skip-dfs-channels=all configuration=cfg2 configuration.mode=ap datapath=datapath1 disabled=no security=\
"WIFI - IoT" security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel=5GHz_AC_20_40_80MHz channel.skip-dfs-channels=all configuration=cfg1 configuration.mode=ap .multicast-enhance=enabled datapath=datapath1 \
disabled=no security=WIFI security.authentication-types=wpa2-psk
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ppp profile
set *FFFFFFFE use-compression=no use-encryption=required use-ipv6=no use-mpls=no
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" interface=wifi1
add bridge=bridge comment="::: defconf" interface=wifi2
add bridge=bridge interface=vlan10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether1,ether4,bridge,vlan10 vlan-ids=10
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,wifi1,wifi2 vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.25.3/24 comment=LAN interface=bridge network=192.168.25.0
add address=172.16.10.3/24 interface=vlan10 network=172.16.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.25.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.25.3 name=router.lan
/ip firewall filter
add action=drop chain=forward in-interface=vlan10 out-interface=!vlan10
add action=fasttrack-connection chain=forward comment="fasttrack established/related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established/related" connection-state=established,related
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.25.0.0/24 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=Storage
/system leds
set 0 disabled=yes interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 disabled=yes leds=poe-led type=poe-out
/system leds settings
set all-leds-off=immediate
/system logging
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system watchdog
set watch-address=192.168.25.2
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN