Having issues with Inter-Vlan Routing

Ive gotten everything setup, read a bunch of forum posts and documentation and got the below config.

Working with a hex poe 5 port, RB960.

Goal:
Wan - DHCP client to ISP, Port 1
Admin Vlan - ID 10, Ports 2 and 3
IoT / Guest Vlan - ID 20, Ports 4 and 5

Admin Vlan should be able to access device for config, and access IoT vlan. IoT vlan should only be able to return trafic from Admin or access internet only.
Each of the sets of 2 ports will have one unmanaged switch and one tp-link AP, so the ports should be forcing the vlan tagging.

All ports currently assign the correct IP and can access the internet. Admin can access router via winbox.
The issue is that Admin Vlan cannot see anything on the IoT vlan.

# nov/21/2020 20:52:06 by RouterOS 6.47.7
# software id = WIBP-QIC7
#
# model = 960PGS
# serial number = AD8B09805111
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=Admin_VLAN vlan-id=10
add interface=BR1 name=IoT_VLAN vlan-id=20
add interface=BR1 name=Mgmt_VLAN vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=Mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=Admin_POOL ranges=192.168.10.15-192.168.10.254
add name=IoT_POOL ranges=192.168.0.15-192.168.0.254
add name=Mgmt_POOL ranges=192.168.88.15-192.168.88.254
/ip dhcp-server
add address-pool=Admin_POOL disabled=no interface=Admin_VLAN name=Admin_DHCP
add address-pool=IoT_POOL disabled=no interface=IoT_VLAN name=IoT_DHCP
add address-pool=Mgmt_POOL disabled=no interface=Mgmt_VLAN name=Mgmt_DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BR1 comment="Admin Vlan" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 comment="IoT Vlan" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Mgmt
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether4,ether5 vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=Admin_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN
add interface=Mgmt_VLAN list=VLAN
add interface=Mgmt_VLAN list=Mgmt
add interface=Admin_VLAN list=Mgmt
/ip address
add address=192.168.88.1/24 interface=Mgmt_VLAN network=192.168.88.0
add address=192.168.10.1/24 interface=Admin_VLAN network=192.168.10.0
add address=192.168.0.1/24 interface=IoT_VLAN network=192.168.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related connection-type="" routing-table=""
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!VLAN
add action=accept chain=input comment="Allow Vlan" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow Inter-Vlan Routing" \
    connection-state=new in-interface-list=Mgmt
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=Mgmt
/tool mac-server mac-winbox
set allowed-interface-list=Mgmt

1. What is the purpose of the UNMENTIONED management vlan??
2. Are the TP links smart devices (able to read vlan tags)?
3. assuming port 2 - switch, port 3 -tplink, port 4-switch, port 5- tplink??

Originally added a mgmt vlan on the .88 subnet because everything I was reading had something like it. I realized about half way through it was unnecessary. The admin vlan was added to the mgmt list, just never deleted the mgmt vlan.

2. Yes the tp link aps can tag each ssid with a vlan.

3. Yes you are correct
   Port 1- wan
   Port 2 - admin dumb switch
   Port 3 - admin tp-link ap (one ssid)
   Port 4 - iot dumb switch
   Port 5 - iot tp-link ap (two ssids, guest and iot)

/interface vlan
add interface=BR1 name=Admin_VLAN vlan-id=10 [assuming this is trusted home network]
add interface=BR1 name=IoT_VLAN vlan-id=20
add interface=BR1 name=**Guest_**VLAN vlan-id=99

/interface list
add name=WAN
add name=LAN
add name=Mgmt

/ip pool
add name=GuestPOOL ranges=192.168.88.15-192.168.88.254

/ip dhcp-server
add address-pool=GuestPOOL disabled=no interface=Guest_VLAN name=Guest_DHCP

/interface bridge port
add bridge=BR1 comment=“Admin Vlan” frame-types=
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10 [to un-managed switch on home/admin/trusted network]
add bridge=BR1 ingress-filtering=yes interface=ether3 [to TP link on admin network]
add bridge=BR1 comment=“IoT Vlan” frame-types=
admit-only-untagged-and-priority-tagged interface=ether4 pvid=20 [un-managed switch for IOT devices]
add bridge=BR1 ingress-filtering=yes interface=ether5 [ to TP link for IOT and GUEST devices ]

/interface bridge vlan
add bridge=BR1 tagged=BR1,**ether3,ether5[/b] untagged=ether2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether5 untagged=ether4 vlan-ids=20 {for iot ssid and switch}
add bridge=BR1 tagged=BR1, ether5 vlan-ids=99 {for guest vlan and ssid}

The reason I have tagged the TPLINK (ether5 with vlan10), Is I am assuming you want the TPLINK AP as a managed device (and thus it gets an IP on the managed admin vlan!!)

/interface list member
add interface=ether1 list=WAN
add interface=Admin_VLAN list=LAN
add interface=IoT_VLAN list=LAN
add interface=Guest_VLAN list=LAN
add interface=Admin_VLAN list=Mgmt


/ip address
add address=192.168.88.1/24 interface=Guest_VLAN network=192.168.88.0

/ip firewall filter
add action=accept chain=input comment=“Allow Vlan” in-interface-list=VLAN
add action=drop chain=input comment=Drop

*** Lets change this to something better in two parts!
add action=accept chain=input comment=“allow admin access” in-interface-list=Mgmt

If you can provide a list of IP addresses to narrow down which devices on the trusted LAN.

• static IP for admin desktop, laptop, ipad etc… Create a firewall address list as appropriate and call it ‘admin_access’
  then rule becomes
  add action=accept chain=input in-interface-list=Mgmt src-address-list=admin_access
  
  Part 2.
  add action=accept chain=input comment=“allow services for lan users”
  examples are DNS port 53, ucp & tdp (in-interface-list=LAN)
  could also include NTP for example if you have time service for devices on LAN.
  
  ALSO this input rule
  add action=drop chain=input comment=“defconf: drop all not coming from LAN”
  in-interface-list=!VLAN
  
  YOu no longer need it because you include the drop all else rule below.
  Since you didnt state above this last drop all rule TO allow traffic coming from the WAN, it will be dropped, thus only need the one last rule (ie this one is redundant).
  
  NOTE: Disable the last drop all rule until the new rules are in place and checked, otherwise you will lock yourself out of router.
  
  
  For forward filter chain, too messy will clean up!!!
  Keep all the default rules that I didnt include below and then modify the following
  
  FROM
  /ip firewall filter
  add action=accept chain=input comment=“Allow Vlan” in-interface-list=VLAN
  add action=drop chain=input comment=Drop
  add action=accept chain=forward comment=“Allow Inter-Vlan Routing”
  connection-state=new in-interface-list=Mgmt
  add action=drop chain=forward comment=
  “Drop new connections from internet which are not dst-natted”
  connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  add action=accept chain=forward comment=“VLAN Internet Access only”
  connection-state=new in-interface-list=VLAN out-interface-list=WAN
  add action=drop chain=forward comment=Drop
  
  TO
  /ip firewall filter
  add action=allow chain=forward in-interface-list=LAN out-interface-list=WAN
  add action=allow in-interface-list=Mgmt out-interface-list=LAN
  add action=drop chain=forward comment=“Drop All Else”
  
  If you do need to do port forwarding at any time, just add another allow rule…
  add action=accept chain=forward comment=“Allow port forwarding”
  connection-nat-state=dstnat connection-state=new in-interface-list=WAN**