Are My VLAN Configs Correct? Working, But Would Like Feedback

I seem to get the correct IPs and my dhcp leases seem to match the VLAN structure, but I wanted to ask if there is a problem I'm not aware of. Thanks in advance. RB5009 is core router, CRS328 is the switch+POE.

/interface bridge
add admin-mac=redacted auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan20-iot vlan-id=20
add interface=bridge name=vlan30-guest vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=192.168.10.100-192.168.10.250
add name=pool20 ranges=192.168.20.100-192.168.20.250
add name=pool30 ranges=192.168.30.100-192.168.30.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool10 interface=vlan10-main name=dhcp10
add address-pool=pool20 interface=vlan20-iot name=dhcp20
add address-pool=pool30 interface=vlan30-guest name=dhcp30
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=20
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-iot list=LAN
add interface=vlan30-guest list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=vlan10-main network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-iot network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-guest network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.249
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
add action=accept chain=forward comment=\
    "VLAN 10 can initiate talk to any local subnet" in-interface=vlan10-main
add action=accept chain=forward comment=\
    "Allow all subnets to query Pi-hole for DNS (UDP)" dst-address=\
    192.168.10.249 dst-port=53 protocol=udp
add action=accept chain=forward comment=\
    "Allow all subnets to query Pi-hole for DNS (TCP)" dst-address=\
    192.168.10.249 dst-port=53 protocol=tcp
add action=drop chain=forward comment=\
    "Isolate VLAN 30 entirely from local subnets (Internet Only)" \
    dst-address=192.168.0.0/16 in-interface=vlan30-guest
add action=accept chain=forward comment=\
    "Allow Emergency Backdoor to access all VLANs" src-address=\
    192.168.88.0/24
add action=drop chain=forward comment="Drop all traffic aimed at VLAN 10" \
    out-interface=vlan10-main
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Force DNS to Pi-hole (UDP)" \
    dst-port=53 protocol=udp src-address=!192.168.10.249 to-addresses=\
    192.168.10.249
add action=dst-nat chain=dstnat comment="Force DNS to Pi-hole (TCP)" \
    dst-port=53 protocol=tcp src-address=!192.168.10.249 to-addresses=\
    192.168.10.249
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB5009.CoreRouter
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

CRS328

/interface bridge
add admin-mac=redacted auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=mgmt-vlan10 vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether11 pvid=20
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether22 pvid=30
add bridge=bridge comment=defconf interface=ether23 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether24 pvid=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether1,ether2,ether3 untagged=\
    ether5,ether10,ether24 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,ether1,ether2,ether3 untagged=\
    ether4,ether9,ether11,ether23 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1,ether1,ether2,ether3 untagged=ether22 \
    vlan-ids=30
/ip address
add address=192.168.10.2/24 interface=mgmt-vlan10 network=192.168.10.0
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=CRS328.MainPoESwitch
/system routerboard settings
set enter-setup-on=delete-key

How many routers do you have, it would seem you have one router and one switch so why so many threads with different setups.......

Because I removed the CRS312 from the mix. I had the 312 before, and then needed POE so I got the 328 but realized it's too many layers so just keeping the rb5009 and crs328 now.

You have the default firewall, which IMO is the main thing, so that's good. Few things caught my eye:

1. The VLAN restrictions in the IPv4 /ip/firewall are not duplicated on the IPv6 side, so the VLAN can speak over IPv6 ... which may not be your intent since you do block things on IPv4 side.

2. The CRS328 has no default route to internet, only an IP address on your MGMT network. Perhaps intentional... but it does mean you have to upgrade using file package, and cannot use /system/package/update/check-for-update

3. RoMON might need to be adjusted. You might want to add the WAN/ether1 on RB5009 to the forbidden list in /tool/romon. While most ISP will drop it and "the internet" cannot use it, if your upstream ISP uses MikroTik then your ISP has access to attempt login (now RoMON still requires username/password, still not ideal to expose RoMON to ISP). And given its enabled on the RB5009, you might want to enable it on the CRS328 so that it actual work to access via RB5009 if the CRS328 config was ever FUBARed. Or, if you're not using RoMON, then disable it on the RB5009.

Thank you for the feedback.

As always if you go with vlans, go with all vlans, having the bridge with its own DHCP to me is not efficient or clean, simply create another vlan and adjust apppropriately

Thanks for the feedback.

Since you don't specify what you expect the configuration to do other than "get correct IPs", its hard to say if there is a problem or not.

What is the purpose of the vlans? Your RB5009 itself isn't well protected from the iot or guest networks. All vlan interfaces are in the LAN list (that's fine), but you don't have anything on your input chains to block access to the router using winbox or romon.

You may want to add another list for management access; you can have an interface be a member of multiple lists. But it will increase the complexity, and be sure that you have a good backup before restricting winbox to a list other than LAN. (be sure you have members defined in the new list before changing the access, because on the RB5009 there isn't any serial console as a "back door").

And all the bridge ports on the RB5009 currently are connected to the default vlan1 with untagged, so any non-vlan aware device you plug into an available RB5009 ether port (other than ether1 the WAN port) will be connected to the 192.168.88.1 network. As long as you understand how things work, then leaving the connection to the untagged bridge is a valid config, but be aware that if you plug a pc into for example ether16 on the CRS328 it will get connected to the "emergency backdoor" 192.168.88.0/24 net without any special configuration on the PC (there is a dhcp server for 192.168.88.0/24)

I will leave comments about the ipv6 firewall to someone that uses ipv6, I don't.

Thank you for the feedback.

The vlans are meant to segment the network and let me access all from vlan10. The vlans carry over to the APs based on SSID. The RB5009 only has the WAN, CRS328, and my laptop connected to it. Nothing else will be plugged in.

Do you intend for all unmodified CRS328 ports to have access to everything? Unless I am mistaken, that is what I think will happen. If this is just in the proof of concept stage, then it isn't a problem, but the "default port settings" will give the ports access to the same untagged vlan that the RB5009's bridge device is "connected to", in your case the default 192.168.88.0/24 subnet.

Easy enough to test, just plug a pc into ether16 on the CRS328 and see if you have access to the other vlans. I think it will obtain an ip address in 192.168.88.0/24 via the dhcp server on the RB5009, and then have access to devices on vlans 10, 20 and 30 as well as the RB5009 itself.