I am trying to configure the setup in the diagram, and it is mostly working but am stuck with routing VLANs to the firewall.
I have VLAN 30 and 50 in the bridge and they can route to each other fine. Each of the core switches can reach public networks via 10.10.10.6 but a client on VLAN 30 or 50 can only reach the core switch IP in VLAN 10 - 10.10.10.0/29 and not 10.10.10.6 or anything public.
I have tried simplifying the WAN by putting an address on an interface but I get the same issue.
I am probably missing something obvious but very grateful if someone can point it out, or if I am going about this in the wrong way. Relevant config from core-01 below, core-02 is almost identical. Thanks!
/interface bridge
add admin-mac=AB:CD:EF:06:0D:D8 ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no dhcp-snooping=no disabled=no ether-type=0x8100 fast-forward=yes forward-delay=15s frame-types=admit-all \
igmp-snooping=no ingress-filtering=yes max-message-age=20s mtu=auto name=br-mlag priority=0x1000 protocol-mode=rstp pvid=99 transmit-hold-count=6 vlan-filtering=yes
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=br-mlag loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=vlan-client use-service-tag=no \
vlan-id=50
add arp=enabled arp-timeout=auto disabled=no interface=br-mlag loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=vlan-management use-service-tag=no \
vlan-id=30
add arp=enabled arp-timeout=auto disabled=no interface=br-mlag loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=vlan-wan use-service-tag=no \
vlan-id=10
/interface bonding
add arp=enabled arp-interval=100ms arp-ip-targets="" arp-timeout=auto disabled=no down-delay=0ms !forced-mac-address lacp-rate=30secs link-monitoring=mii mii-interval=100ms min-links=0 \
mlag-id=11 mode=802.3ad mtu=1500 name=mlag-01 primary=none slaves=01 transmit-hash-policy=layer-2 up-delay=0ms
add arp=enabled arp-interval=100ms arp-ip-targets="" arp-timeout=auto disabled=no down-delay=0ms !forced-mac-address lacp-rate=30secs link-monitoring=mii mii-interval=100ms min-links=0 \
mlag-id=12 mode=802.3ad mtu=1500 name=mlag-02 primary=none slaves=02 transmit-hash-policy=layer-2 up-delay=0ms
add arp=enabled arp-interval=100ms arp-ip-targets="" arp-timeout=auto disabled=no down-delay=0ms !forced-mac-address lacp-rate=30secs link-monitoring=mii mii-interval=100ms min-links=0 mode=\
802.3ad mtu=1500 name=mlag-wan primary=none slaves=13-wan transmit-hash-policy=layer-2 up-delay=0ms
add arp=enabled arp-interval=100ms arp-ip-targets="" arp-timeout=auto disabled=no down-delay=0ms !forced-mac-address lacp-rate=30secs link-monitoring=mii mii-interval=100ms min-links=0 mode=\
802.3ad mtu=1500 name=peer primary=none slaves=16 transmit-hash-policy=layer-2 up-delay=0ms
/interface vrrp
add arp=enabled arp-timeout=auto authentication=none disabled=no group-master="" interface=vlan-client interval=1s mtu=1500 name=vrrp-client on-backup="" on-fail="" on-master="" \
preemption-mode=yes priority=200 remote-address=10.10.50.4 sync-connection-tracking=yes v3-protocol=ipv4 version=3 vrid=50
add arp=enabled arp-timeout=auto authentication=none disabled=no group-master="" interface=vlan-management interval=1s mtu=1500 name=vrrp-management on-backup="" on-fail="" on-master="" \
preemption-mode=yes priority=200 remote-address=10.10.30.4 sync-connection-tracking=yes v3-protocol=ipv4 version=3 vrid=30
/interface bridge mlag
set bridge=br-mlag peer-port=peer
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=br-oob broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth-01 \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=peer \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=99 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=mlag-01 \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=99 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=vlan-management \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=30 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=vlan-client \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=50 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=mlag-02 \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=99 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=mlag-wan \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=10 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=br-mlag broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=vlan-wan \
internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=10 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge vlan
add bridge=br-mlag disabled=no tagged=br-mlag,peer,mlag-01,mlag-02 untagged="" vlan-ids=30
add bridge=br-mlag disabled=no tagged=br-mlag,peer,mlag-01,mlag-02 untagged="" vlan-ids=50
add bridge=br-mlag disabled=no tagged=br-mlag,peer untagged="" vlan-ids=10
/ip address
add address=172.31.255.1/24 disabled=no interface=br-oob network=172.31.255.0
add address=10.10.30.3/24 disabled=no interface=vlan-management network=10.10.30.0
add address=10.10.50.3/24 disabled=no interface=vlan-client network=10.10.50.0
add address=10.10.30.1/32 disabled=no interface=vrrp-management network=10.10.30.1
add address=10.10.50.1/32 disabled=no interface=vrrp-client network=10.10.50.1
add address=10.10.10.3/29 disabled=no interface=vlan-wan network=10.10.10.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.6 pref-src="" routing-table=main suppress-hw-offload=no