Hi, I am using v7.20.2 and I have configured dual wan fail over using recursive routes and load balancing using PCC and all are working fine but when i tried intervlan routing. it says TTL expired in transit when i ping other pc in other vlan. then, when i turn off my default routes or recursive routes. i can ping other pc on other vlan but with no internet. can someone please help me fix my problem.
Which might mean that somehow you have conflicting routes.
Post you configuration, following this:
Post also the output of:
/ip route print
twice, once when you have internet working and one when you have intervlan working.
Also not clear to me what you mean by intervlan routing?
Hi, as per further checking, this is now what happens after restarting the router and restoring again the same backup configuration file. same problem but now not seeing the tll expired in transit and only request time out.
# 2025-11-05 05:10:42 by RouterOS 7.20.2
/interface ethernet
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether5 ] name="VLAN TRUNK"
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface vlan
add interface="VLAN TRUNK" name=CCTV vlan-id=90
add interface="VLAN TRUNK" name=IT vlan-id=30
add interface="VLAN TRUNK" name=accounting vlan-id=10
add interface="VLAN TRUNK" name=guest vlan-id=40
add interface="VLAN TRUNK" name=marketing vlan-id=20
add interface="VLAN TRUNK" name=production vlan-id=50
add interface="VLAN TRUNK" name=vlan60 vlan-id=60
add interface="VLAN TRUNK" name=vlan70 vlan-id=70
add interface="VLAN TRUNK" name=vlan80 vlan-id=80
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name="accounting ip pool" ranges=172.16.10.100-172.16.10.253
add name="marketing ip pool" ranges=172.16.20.100-172.16.20.253
add name="IT ip pool" ranges=172.16.30.100-172.16.30.253
add name="guest ip pool" ranges=172.16.40.100-172.16.40.253
add name="production ip pool" ranges=172.16.50.100-172.16.50.253
add name=vlan60 ranges=172.16.60.100-172.16.60.253
add name=vlan70 ranges=172.16.70.100-172.16.70.253
add name=vlan80 ranges=172.16.80.100-172.16.80.253
add name=dhcp_pool12 ranges=172.16.30.100-172.16.30.253
add name=dhcp_pool13 ranges=172.16.50.100-172.16.50.253
add name=dhcp_pool14 ranges=172.16.60.100-172.16.60.253
add name=dhcp_pool15 ranges=172.16.70.100-172.16.70.253
add name=dhcp_pool16 ranges=172.16.80.100-172.16.80.253
add name=dhcp_pool17 ranges=172.16.40.100-172.16.40.253
add name=dhcp_pool18 ranges=172.16.90.100-172.16.90.253
/ip dhcp-server
add address-pool="accounting ip pool" interface=accounting lease-time=1d \
name=dhcp2
add address-pool="marketing ip pool" interface=marketing lease-time=1d name=\
dhcp3
add address-pool="IT ip pool" interface=IT lease-time=1d name=dhcp4
add address-pool="production ip pool" interface=production lease-time=1d \
name=dhcp5
add address-pool=vlan60 interface=vlan60 lease-time=1d name=dhcp6
add address-pool=vlan70 interface=vlan70 lease-time=1d name=dhcp7
add address-pool=vlan80 interface=vlan80 lease-time=1d name=dhcp8
add address-pool=dhcp_pool17 interface=guest lease-time=1d name=dhcp9
add address-pool=dhcp_pool18 interface=CCTV lease-time=1d name=dhcp10
/port
set 0 name=serial0
/routing table
add disabled=no fib name=routing_to_ISP1
add disabled=no fib name=routing_to_ISP2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ovpn-server server
add mac-address=FE:5D:35:30:9C:7E name=ovpn-server1
/ip address
add address=10.0.0.150/23 interface=WAN1 network=10.0.0.0
add address=172.16.10.254/24 interface=accounting network=172.16.10.0
add address=172.16.20.254/24 interface=marketing network=172.16.20.0
add address=10.0.13.150/23 interface=WAN2 network=10.0.12.0
add address=172.16.30.254/24 interface=IT network=172.16.30.0
add address=172.16.40.254/24 interface=guest network=172.16.40.0
add address=172.16.90.254/24 interface=CCTV network=172.16.90.0
add address=172.16.50.254/24 interface=production network=172.16.50.0
add address=172.16.60.254/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.254/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.254/24 interface=vlan80 network=172.16.80.0
/ip dhcp-client
add interface=accounting
add interface=marketing
/ip dhcp-server
# Interface not running
add address-pool=*3 interface=LAN name=dhcp1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.254
add address=172.16.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.10.254
add address=172.16.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.20.254
add address=172.16.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.30.254
add address=172.16.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.40.254
add address=172.16.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.50.254
add address=172.16.60.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.60.254
add address=172.16.70.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.70.254
add address=172.16.80.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.80.254
add address=172.16.90.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.90.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=WAN1 new-connection-mark=\
ISP1-ether1-CONNECTION
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=WAN2 new-connection-mark=\
ISP2-ether2-CONNECTION
add action=mark-routing chain=output connection-mark=ISP1-ether1-CONNECTION \
new-routing-mark=routing_to_ISP1
add action=mark-routing chain=output connection-mark=ISP2-ether2-CONNECTION \
new-routing-mark=routing_to_ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=accounting \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=CCTV \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan80 \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan70 \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan60 \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=production \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=guest \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=IT \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=marketing \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=accounting \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=CCTV \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan80 \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan70 \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=vlan60 \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=production \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=guest \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=IT \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=marketing \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=accounting new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=CCTV new-routing-mark=routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=vlan80 new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=vlan70 new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=vlan60 new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=production new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=guest new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=IT new-routing-mark=routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface=marketing new-routing-mark=\
routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=accounting new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=CCTV new-routing-mark=routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=vlan80 new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=vlan70 new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=vlan60 new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=production new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=guest new-routing-mark=\
routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=IT new-routing-mark=routing_to_ISP2
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface=marketing new-routing-mark=\
routing_to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=ISP1_ether1 disabled=no distance=1 dst-address=8.8.8.8/32 \
gateway=10.0.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add comment=ISP2_ether2 disabled=yes distance=2 dst-address=8.8.4.4/32 \
gateway=10.0.13.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=routing_to_ISP1 scope=10 suppress-hw-offload=no \
target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 routing-table=routing_to_ISP2 scope=10 suppress-hw-offload=no \
target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 routing-table=routing_to_ISP1 scope=10 suppress-hw-offload=no \
target-scope=11
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=routing_to_ISP2 scope=10 suppress-hw-offload=no \
target-scope=11
/system identity
set name=Clintzcpe
this is my ip route print when my dual wan fail over is enabled and my intervlan routing is not working. both pc on different vlan pinging each other replies request time out
[admin@Clintzcpe] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
;;; ISP2_ether2
0 As 8.8.4.4/32 10.0.13.254 main 2
;;; ISP1_ether1
1 As 8.8.8.8/32 10.0.1.254 main 1
DAc 10.0.0.0/23 WAN1 main 0
DAc 10.0.12.0/23 WAN2 main 0
DAc 172.16.10.0/24 accounting main 0
DAc 172.16.20.0/24 marketing main 0
DAc 172.16.30.0/24 IT main 0
DAc 172.16.40.0/24 guest main 0
DAc 172.16.50.0/24 production main 0
DAc 172.16.60.0/24 vlan60 main 0
DAc 172.16.70.0/24 vlan70 main 0
DAc 172.16.80.0/24 vlan80 main 0
DAc 172.16.90.0/24 CCTV main 0
2 As 0.0.0.0/0 8.8.8.8 routing_to_ISP1 1
3 s 0.0.0.0/0 8.8.4.4 routing_to_ISP1 2
4 As+ 0.0.0.0/0 8.8.4.4 routing_to_ISP2 2
5 As+ 0.0.0.0/0 8.8.8.8 routing_to_ISP2 2
[admin@Clintzcpe] >
this is my ip route print when i turn off my default routes 0.0.0.0/0 and my intervlan is working but without internet.
[admin@Clintzcpe] > /ip route print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
0 Xs 0.0.0.0/0 8.8.8.8 routing_to_ISP1 1
1 Xs 0.0.0.0/0 8.8.4.4 routing_to_ISP2 2
2 Xs 0.0.0.0/0 8.8.4.4 routing_to_ISP1 2
3 Xs 0.0.0.0/0 8.8.8.8 routing_to_ISP2 2
;;; ISP2_ether2
4 As 8.8.4.4/32 10.0.13.254 main 2
;;; ISP1_ether1
5 As 8.8.8.8/32 10.0.1.254 main 1
DAc 10.0.0.0/23 WAN1 main 0
DAc 10.0.12.0/23 WAN2 main 0
DAc 172.16.10.0/24 accounting main 0
DAc 172.16.20.0/24 marketing main 0
DAc 172.16.30.0/24 IT main 0
DAc 172.16.40.0/24 guest main 0
DAc 172.16.50.0/24 production main 0
DAc 172.16.60.0/24 vlan60 main 0
DAc 172.16.70.0/24 vlan70 main 0
DAc 172.16.80.0/24 vlan80 main 0
DAc 172.16.90.0/24 CCTV main 0
[admin@Clintzcpe] >
i mean vlan communicating with other vlan. i need to accept traffic from specific vlan communicating to other vlan and also deny traffic from specific vlans communicating with other vlans. like for example. i have IT vlan. this IT vlan has connectivity to all vlans. but other vlans like accounting, marketing and etc. has no connectivity to other vlans. intervlan routing is working when i disable default routes but problem is no internet.
You need to add a rule at the TOP of the mangle table, like this:
/ip firewall mangle
add action=accept chain=prerouting \
src-address=172.16.0.0/16 dst-address=172.16.0.0/16
That's if you are lazy. Better is to create a VLAN_RANGES address list, containing your 172.16.10.0/24, 172.16.20.0/24, ..., 172.16.90.0/24 subnets and put this rule at the top:
/ip firewall mangle
add action=accept chain=prerouting \
src-address-list=VLAN_RANGES dst-address-list=VLAN_RANGES
Unrelated to the problem. But all your duplicated PCC and mark-routing rules that have in-interface=some_vlan_interface can be reduced to one rule each if you create a VLANS interface list, and put those CCTV, IT, accounting, ...., vlan80 interfaces as members of that VLANS interface list;
/interface list
add name=VLANS
/interface list members
add interface=CCTV list=VLANS
add interface=IT list=VLANS
#...
add interface=vlan80 list=VLANS
Once that's done you can reduce the number of mangle rules by 9x, just use this for the PCC and mark-routing rules:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=VLANS \
new-connection-mark=ISP1-ether1-CONNECTION per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=VLANS \
new-connection-mark=ISP2-ether2-CONNECTION per-connection-classifier=\
src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=\
ISP1-ether1-CONNECTION in-interface-list=VLANS \
new-routing-mark=routing_to_ISP1
add action=mark-routing chain=prerouting connection-mark=\
ISP2-ether2-CONNECTION in-interface-list=VLANS \
new-routing-mark=routing_to_ISP2
Note how those 9× repeated in-interface=xxx have been consolidated into single in-interface-list=VLANS.
Now it's @anav's time to complain that your router is unprotected because the firewall filter table is empty!
1 Like
Small typo, should be:
/ip firewall mangle
add action=accept chain=prerouting \
src-address=172.16.0.0/16 dst-address=172.16.0.0/16
1 Like
Thanks :D. That the issue with copy & paste without really testing the commands hehe. I've corrected the post.
Yep, the copy/paste mistakes are very common.
Now, if I get this right, that single ("lazy" as you call it) mangle rule is - if I get this right - saying essentially "exempt any traffic originated from any address in 172.16.0.0/16 and going to any address in the same 172.16.0.0/16 from any following mangle rule".
Is this correct?
But then how will it be possible to have what the OP detailed, i.e. preventing some VLANs connecting to some other vlans?:
i need to accept traffic from specific vlan communicating to other vlan and also deny traffic from specific vlans communicating with other vlans. like for example. i have IT vlan. this IT vlan has connectivity to all vlans. but other vlans like accounting, marketing and etc. has no connectivity to other vlans.
? 
That "preventing traffic between specific VLANs" will be done properly with filter forward rules, as it should be.
The action=accept chain=prerouting rule in the mangle table only acts within the scope of the #4 box of your flowchart. This action just skips the rest of the mangle chain=prerouting rules, processing will continue with #5. It doesn't means skipping the checks in #14.
Even in the filter table, action=accept chain=forward just means skip the other filter rules of the box #14, and go to the next box, which is #23. It doesn't means skip the rest of the firewall (#23, #24 and #25).
I understand that, more correctly that line means:
"exempt any traffic originated from any address in 172.16.0.0/16 and going to any address in the same 172.16.0.0/16 from any following mangle rule in the same prerouting chain"
But OP has ONLY mangle rules in prerouting chain, and none in forward chain, so something else is still missing to obtain the wanted result, isn't it?
Yes, that's why I mentioned @anav in the post above (that he'll comment about the lack of filter rules). My post was only to address the "either no traffic between VLAN or lose internet access" problem (the OP's post that my post replied to).
Yep, but anav (hypothetically) will warn about security missing, and that - while a very good thing to be aware of - will do nothing about the requirement of limiting intervlan access.
So, provisions must be added, and they will be in practice either a set of drop rules in /ip firewall filter, to prevent a given VLAN to access other ones, or - better - explicit accept rules for the wanted interconnections and the last "drop all else" rule, is this correct?
But @anav always uses the modified variation of defconf that has those explicit rules at the bottom:
- allow LAN -> WAN
- allow DSTNAT
- drop all else
And in his config traffics between VLANs must be explicitly allowed.
Cases in point: Search results for '@anav drop all else' - MikroTik community forum
Example from search results: Help with vlans on RB5009 - RouterOS / Beginner Basics - MikroTik community forum
So, to go with OP's example, the VLAN "accounting" and "marketing" should be able to reach internet and not any other VLAN and the VLAN "IT" be able to access both internet and all other VLANs would be something like:
/ip firewall filter
...
add action=accept chain=forward comment="Limited to internet only" in-interface-list=Limited out-interface-list=WAN
add action=accept chain=forward comment="IT allowed to all" in-interface=IT
...
add action=drop chain=forward comment="drop all else"
Then there would be the need to make lists and categorize interfaces, i.e.:
/interface list
...
add comment=outer_interfaces list=WAN
add comment=Limited_VLANs list=Limited
...
/interface list member
...
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=accounting list=Limited
add interface=marketing list=Limited
...
Is this the way?
And - to reuse default or common firewall filter structures - other VLAN's should probably be added to a LAN interface list, but let us wait for OP's reply on the matter.
Firstly, my approach to vlan filtering in the forward chain is based on user requirements as the foundation of any config. What traffic must be passed the rest for security shall not pass.
The easiest way to accomplish this, and also to make the forward chain less intimidating and clearer for newbies to understand is get rid of the cute rules.... such as
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
This combines too much where what we want is to highlight that the above rule implicitly allows internet traffic while more obviously allowing port forwarding.
Much clearer to state (should be default IMHO)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat \
disabled=yes {enable if required, otherwise remove }
add action=drop chain=forward comment="drop all else"
Thereby making it clear we allowing internet traffic and also providing for port forward. Unlike the default my approach is to disable it and if not needed remove it, for better security. Also this formulation of the the dstnat allow rule is more copacetic with both internal and external users.
Yes, the idea is any other traffic required should be above the drop all rule be it
a. allow admin to all vlans
b. allow vlans to a common printer
c. allow vlan X to vlan Y.
etc......
In terms of groups of subnets/vlans, judicious use of interface lists is recommended.
I am not sure of the exact user requirements but what you have is fine, and you make it clear the function of that list.
I prefer generally to assume that all vlans that are part of the LAN interface require internet.
If there are some that do not, simply do not include them as part of the LAN interface list.
Then they are not allowed out the internet, and do not have access to DNS in the input chain.
I normally create extra interfaces when the config gets more complex, ( off the top of my head think vlans a,b,c need to go out WAN1 and x,y,z need to go out WAN2 - and thus all need internet and DNS but would have different requirements ) and for any time a condition or matcher interface is duplicated on 2 or more rules......... begs for interface list creation and only one firewall rule. There are lots of ways to accomplisht
the same thing.
The elegance of this approach is that we avoid spending all our time thinking about what traffic to block WRONG APPROACH and can focus on requirements.
Thank you very much @CGGXANNX, this solves my problem and also shortens everything using the interface list.
In reventing my vlan to communicate to whichever vlan, I just put a firewall rule from source vlan to destination vlan and set the action to drop.
Yep, it will likely work just fine in your case, but it is the opposite of the approach suggested by anav, which is:
- explicitly allow (accept) what is wanted
- block (drop) all else
you are doing instead:
- block (drop) what is not wanted
Which indeed is bassackwards! 
Requirements are based on what traffic needs to flow. Everything else is dropped.
This is the proper security approach is far more elegant/efficient as requires less rules.
It is also less arrogant, as I would never profess to know all the things I should be blocking, and thus dropping them all, JUST WORKS, because I dont need any of that traffic, and the traffic I do need has been articulated.
If the op wants to dig himself out of a hole, drop the shovel and grab the rope ladder 