Create multiple VRFs in core switch with uplink firewall

I am trying to create multiple VRFs on a core switch. This switch will not function as a firewall. Each VRF has a vlan that talks to the firewall over ptp network and has OSPF running. The two devices are establishing OSPF link between them. I assigned a vlan 52 in the IOT VRF to a port and the computer gets an IP from DHCP but can’t ping the gateway IP of the vlan. Any help would be appreciated in figuring out what I am missing.

Firewall:
vlan 4001: LAN ptp 10.255.255.0/31
vlan 4002: DMZ ptp 10.255.255.2/31
vlan 4003: IOT ptp 10.255.255.4/31
vlan 4004: GUEST ptp 10.255.255.6/31

/interface bridge
add admin-mac=DC:2C:6E:A1:12:CA auto-mac=no mtu=1500 name=bridge port-cost-mode=short vlan-filtering=yes
add name=loopback port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether01
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus01 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus02 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus3 ] name=sfp-sfpplus03 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus4 ] name=sfp-sfpplus04 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus5 ] disabled=yes name=sfp-sfpplus05 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus6 ] name=sfp-sfpplus06 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus7 ] name=sfp-sfpplus07 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus8 ] name=sfp-sfpplus08 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus9 ] name=sfp-sfpplus09 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus10 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus15 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus16 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add comment=IoT interface=bridge name=vlan_52 vlan-id=52
add comment=Infrastructure interface=bridge name=vlan_1000 vlan-id=1000
add comment=LAN-UPLINK interface=bridge name=vlan_4001 vlan-id=4001
add comment=DMZ-UPLINK interface=bridge name=vlan_4002 vlan-id=4002
add comment=IOT-UPLINK interface=bridge name=vlan_4003 vlan-id=4003
add comment=GUEST-UPLINK interface=bridge name=vlan_4004 vlan-id=4004
/interface bonding
add lacp-rate=1sec mode=802.3ad name=lag1 slaves=sfp-sfpplus09,sfp-sfpplus10 transmit-hash-policy=layer-2-and-3
add lacp-rate=1sec mode=802.3ad name=lag2 slaves=sfp-sfpplus11,sfp-sfpplus12 transmit-hash-policy=layer-2-and-3
add lacp-rate=1sec mode=802.3ad name=lag3 slaves=sfp-sfpplus13,sfp-sfpplus14 transmit-hash-policy=layer-2-and-3
add lacp-rate=1sec mode=802.3ad name=lag4 slaves=sfp-sfpplus01,sfp-sfpplus02
add comment=Firewall mode=active-backup name=lag5 primary=sfp-sfpplus03 slaves=sfp-sfpplus03,sfp-sfpplus04
/ip pool
add name=pool_iot ranges=10.0.52.50-10.0.52.199
/ip dhcp-server
add address-pool=pool_iot interface=vlan_52 name=dhcp_iot
/ip smb users
set [ find default=yes ] disabled=yes
/ip vrf
add interfaces=vlan_4002 name=VRF-DMZ
add interfaces=vlan_4004 name=VRF-GUEST
add interfaces=vlan_4003,vlan_52 name=VRF-IOT
add interfaces=vlan_4001 name=VRF-LAN
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-lan redistribute=connected,ospf router-id=VRF-LAN routing-table=VRF-LAN vrf=VRF-LAN
add disabled=no name=ospf-instance-iot redistribute=connected,ospf router-id=VRF-IOT routing-table=VRF-IOT vrf=VRF-IOT
add disabled=no name=ospf-instance-guest redistribute=connected,ospf router-id=VRF-GUEST routing-table=VRF-GUEST vrf=VRF-GUEST
add disabled=no name=ospf-instance-dmz redistribute=connected,ospf router-id=VRF-DMZ routing-table=VRF-DMZ vrf=VRF-DMZ
/routing ospf area
add disabled=no instance=ospf-instance-lan name=ospf-area-lan
add disabled=no instance=ospf-instance-iot name=ospf-area-iot
add disabled=no instance=ospf-instance-guest name=ospf-area-guest
add disabled=no instance=ospf-instance-dmz name=ospf-area-dmz
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether01 internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=sfp-sfpplus01 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge disabled=yes ingress-filtering=no interface=sfp-sfpplus02 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge disabled=yes ingress-filtering=no interface=sfp-sfpplus03 internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=sfp-sfpplus04 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus05 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus06 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus07 internal-path-cost=10 path-cost=10 pvid=15
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus08 internal-path-cost=10 path-cost=10 pvid=15
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus09 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus11 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus13 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus14 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus15 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus16 internal-path-cost=10 path-cost=10
add bridge=bridge interface=lag1 pvid=10
add bridge=bridge interface=lag2 pvid=10
add bridge=bridge interface=lag3 pvid=10
add bridge=bridge interface=lag4 pvid=100
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=no interface=lag5
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge comment=Guest tagged=bridge,sfp-sfpplus16 vlan-ids=51
add bridge=bridge comment=Workstation tagged=bridge,sfp-sfpplus16 vlan-ids=50
add bridge=bridge comment=Infrastructure tagged=bridge,sfp-sfpplus16 vlan-ids=1000
add bridge=bridge comment=OOBM tagged=bridge,lag4 vlan-ids=9
add bridge=bridge comment=Virtualization tagged=bridge untagged=lag1,lag2,lag3 vlan-ids=10
add bridge=bridge comment=DMZ tagged=bridge,lag1,lag2,lag3 vlan-ids=800
add bridge=bridge comment=IoT tagged=bridge,lag1,lag2,lag3 vlan-ids=52
add bridge=bridge comment=VRF-LAN-UPLINK tagged=lag5,bridge vlan-ids=4001
add bridge=bridge comment=VRF-DMZ-UPLINK tagged=lag5,bridge vlan-ids=4002
add bridge=bridge comment=VRF-IOT-UPLINK tagged=lag5,bridge vlan-ids=4003
add bridge=bridge comment=VRF-GUEST-UPLINK tagged=lag5,bridge vlan-ids=4004
/interface ethernet switch
set 0 l3-hw-offloading=yes
/ip address
add address=10.0.1.2 comment=Loopback interface=loopback network=10.0.1.2
add address=10.0.0.2/24 comment=Infrastructure interface=vlan_1000 network=10.0.0.0
add address=10.255.255.1/31 interface=vlan_4001 network=10.255.255.0
add address=10.255.255.3/31 interface=vlan_4002 network=10.255.255.2
add address=10.255.255.5/31 interface=vlan_4003 network=10.255.255.4
add address=10.255.255.7/31 interface=vlan_4004 network=10.255.255.6
add address=10.0.52.1/24 interface=vlan_52 network=10.0.52.0
/ip dhcp-server network
add address=10.0.52.0/24 comment=IoT dns-server=1.1.1.1 domain=ad.squeakz.net gateway=10.0.52.1
/ip route
add gateway=10.0.0.1
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing ospf interface-template
add area=ospf-area-lan auth=simple auth-key={redacted} disabled=no interfaces=vlan_4001 type=ptp
add area=ospf-area-dmz auth=simple auth-key={redacted} disabled=no interfaces=vlan_4002 type=ptp
add area=ospf-area-iot auth=simple auth-key={redacted} disabled=no interfaces=vlan_4003 type=ptp
add area=ospf-area-guest auth=simple auth-key={redacted} disabled=no interfaces=vlan_4004 type=ptp

The following might be part of the problem

From: https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading

Only the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloading=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.

Maybe related, maybe not, /31 support has been added only recently in 7.18.2:
http://forum.mikrotik.com/t/v7-18-2-stable-is-released/182200/1
so its implementation has not been widely tested.

I tried disabling the offloading for all OSPF routes so now it looks like they don’t have hardware offloading on them. I don’t see an “H” next to the routes. I still can’t ping between the firewall and switch. I also can’t ping from computer on the IoT network to the gatewayy IP of the switch.

I tried disabling hardware offloading on the switch itself and I was able to ping between switch and firewall as well as computer on IoT network could then ping the gateway. If I am having all networks be part of a VRF except for management network, would it be better to then leave hardware offload off on the switch?