Local IP Addressed leased but no internet.

Hi everyone,
Recently I’ve been scratching my head that something really strange happened in the local network.
Symptom: Local address from 192.168.0.x got the IP but can’t go to internet (the router is self can ping go to internet, other user can VPN in and connect to server) → Strange things it’s also can’t ping the management IP range. I keep release and renew for several times (3-4 times) then it got the leased ip (fix ip that i reserved on ip lease table) and can ping the management ip and can go to internet. This happened for randomly PC/Laptop on the network. If it’s on different network, let’s say on vlan20: 192.168.20.1 then it can get ip and can go online immediately.
Anyone can help me point out any problem with it, i’ve this config for about 8 months and working well ever since, this problem only happened round 1 month ago.
I include my config. Many thanks

# 2024-01-02 09:19:59 by RouterOS 7.12.1
# software id = 9PI0-559F
#
# model = RB4011iGS+
# serial number = XXXXXXXXXX
/interface bridge
add add-dhcp-option82=yes arp=proxy-arp comment="Core Bridge LAN" \
    dhcp-snooping=yes name=br-core
add add-dhcp-option82=yes arp=proxy-arp comment=WAN2 dhcp-snooping=yes \
    igmp-snooping=yes name=br-viettel
add arp=proxy-arp comment="Loopback VPN" disabled=yes name=br-vpn-ike2
/interface vlan
add comment="VLAN Finance" interface=br-core name=vlan20 vlan-id=20
add comment="VLAN Production" interface=br-core name=vlan30 vlan-id=30
add comment="VLAN Viettel PPOE" interface=ether2 name=vlan35 vlan-id=35
add comment="VLAN Main Network" interface=br-core name=vlan100 vlan-id=100
add comment="VLAN Management Interface" interface=br-core name=vlan185 \
    vlan-id=185
/interface pppoe-client
add add-default-route=yes comment=WAN2 default-route-distance=15 disabled=no \
    interface=br-viettel max-mtu=1492 name=pppoe-out-viettel user=\
    d061_ftth_namcttso
add add-default-route=yes comment=WAN1 default-route-distance=10 disabled=no \
    interface=ether1 max-mtu=1492 name=pppoe-out-vnpt user=ocean187_fiber
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="All Archive files" regexp="^.*get.+\\.(7z|s7z|ace|afa|alz|apk|arc|ar\
    j|b1|b6z|ba|bh|cab|car|cfs|cpt|dar|dd|dgc|dmg|ear|gca|ha|hki|ice|jar|kgb|l\
    zh|lha|lzx|pak|partimg|paq6|paq7|paq8|pea|pim|pit|qda|rar|rk|sda|sea|sen|s\
    fx|shk|sit|sitx|sqx|uca|uha|war|wim|xar|xp3|yz1|zip|zipx|zoo|zpaq|zz|targz\
    |tgz|tarZ|tarbz2|tbz2|tarlzma|tlz|tarxz|txz|uc|uc0|uc2|ucn|ur2|ue2).*\$"
add name="All Audio files" regexp="^.*get.+\\.(3gp|aa|aac|aax|act|aiff|amr|ape\
    |au|awb|dct|dss|dvf|flac|gsm|iklax|ivs|m4a|m4b|m4p|mmf|mp3|mpc|msv|ogg|oga\
    |mogg|opus|ra|rm|raw|sln|tta|vox|wav|wma|wv|webm|8svx).*\$"
add name="All Document files" regexp=\
    "^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt|accdb|xps).*\$"
add name="All Video files" regexp="^.*get.+\\.(webm|mkv|flv|flv|vob|ogv|ogg|dr\
    c|gifv|mng|avi|mov|qt|wmv|yuv|rm|rmvb|asf|amv|mp4|m4p|m4v|mpg|mp2|mpeg|mpe\
    |mpv|mpg|mpeg|m2v|m4v|svi|3gp|3g2|mxf|roq|nsv|flv|f4v|f4p|f4a|f4b).*\$"
add name=Facebook regexp="^..+\\.(facebook.com|facebook.net|fbcdn.com|fbsbx.co\
    m|fbcdn.net|fb.com|tfbnw.net).*\$"
/ip ipsec policy group
add name=gr-ike2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=profile-ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2-in-server passive=yes profile=profile-ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name=proposal-ike2 pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-ike2-ios \
    pfs-group=none
/ip pool
add comment="for IKE2 VPN" name=ikev2-vpn-pool ranges=\
    10.10.11.50-10.10.11.100
add comment="for L2TP VPN" name=l2tp-vpn-pool ranges=10.10.10.50-10.10.10.200
add comment="for PPTP VPN" name=pptp-vpn-pool ranges=10.10.12.50-10.10.12.100
add name=dhcp_pool9 ranges=192.168.30.2-192.168.30.200
add name=dhcp_pool10 ranges=192.168.20.2-192.168.20.200
add name=dhcp_pool11 ranges=192.168.0.130-192.168.0.250
/ip dhcp-server
add address-pool=dhcp_pool9 interface=vlan30 lease-time=10h name=dhcp3
add address-pool=dhcp_pool10 interface=vlan20 lease-time=10h name=dhcp2
add address-pool=dhcp_pool11 interface=vlan100 lease-time=5h name=dhcp1
/ip ipsec mode-config
add address-pool=ikev2-vpn-pool address-prefix-length=32 name=cfg-ike2 \
    split-include=0.0.0.0/0
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add comment="L2TP Client to Site" local-address=10.10.10.1 name=prof-l2tp-c2s \
    rate-limit=50M/50M remote-address=l2tp-vpn-pool
add comment="PPTP Client to Site" local-address=10.10.12.1 name=prof-pptp-c2s \
    rate-limit=50M/50M remote-address=pptp-vpn-pool use-ipv6=no
/routing table
add disabled=no fib name=Route-1
add disabled=no fib name=Route-2
/system logging action
set 1 disk-file-count=3 disk-lines-per-file=4096
/interface bridge port
add bridge=br-viettel ingress-filtering=no interface=vlan35
add bridge=br-core interface=ether10 trusted=yes
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes default-profile=prof-l2tp-c2s enabled=yes use-ipsec=\
    yes
/interface ovpn-server server
set auth=sha1,md5 certificate=ocn-ike2-svr1 cipher=\
    blowfish128,aes128-cbc,aes192-cbc,aes256-cbc default-profile=*3 \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=prof-pptp-c2s enabled=yes
/ip address
add address=10.10.11.1/24 comment="address for ike2 VPN" interface=\
    br-vpn-ike2 network=10.10.11.0
add address=192.168.185.1/24 comment="address for Management" interface=\
    vlan185 network=192.168.185.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.0.1/24 interface=vlan100 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server alert
add disabled=no interface=vlan100 on-alert=\
    ":log error message=\"Rougue DHCP Server Discovered\"" valid-server=\
    18:FD:74:B4:AA:C1
/ip dhcp-server lease
add address=192.168.0.35 client-id=1:9c:5c:8e:c7:75:c4 comment=\
    "Production Wireless AP" mac-address=9C:5C:8E:C7:75:C4 server=*1
add address=192.168.0.201 client-id=1:17:61:12:9:c mac-address=\
    00:17:61:12:09:0C server=*1
add address=192.168.0.79 client-id=1:a4:bb:6d:e2:f4:46 mac-address=\
    A4:BB:6D:E2:F4:46 server=dhcp1
add address=192.168.0.200 comment="Fuji Xerox 2060 Printer" mac-address=\
    08:00:37:FE:0A:D1 server=dhcp1
add address=192.168.0.90 client-id=1:f8:bc:12:6d:e:7f mac-address=\
    F8:BC:12:6D:0E:7F server=dhcp1
add address=192.168.0.34 client-id=1:60:a4:b7:0:65:39 comment=\
    "Meeting Wireless RT" mac-address=60:A4:B7:00:65:39 server=dhcp1
add address=192.168.0.89 client-id=1:a4:bb:6d:c2:d9:b9 mac-address=\
    A4:BB:6D:C2:D9:B9 server=dhcp1
add address=192.168.0.37 client-id=1:84:16:f9:9b:e4:1d comment=\
    "Warehouse Wireless RT" mac-address=84:16:F9:9B:E4:1D server=dhcp1
add address=192.168.0.74 client-id=1:b0:83:fe:64:fc:40 mac-address=\
    B0:83:FE:64:FC:40 server=dhcp1
add address=192.168.0.73 client-id=1:8c:ec:4b:78:b2:33 mac-address=\
    8C:EC:4B:78:B2:33 server=dhcp1
add address=192.168.0.84 client-id=1:b0:83:fe:64:1f:2a mac-address=\
    B0:83:FE:64:1F:2A server=dhcp1
add address=192.168.0.10 client-id=0:94:40:c9:49:15:db:0:0:0 mac-address=\
    94:40:C9:49:15:DB server=dhcp1
add address=192.168.0.87 client-id=1:f8:bc:12:73:2:fb mac-address=\
    F8:BC:12:73:02:FB server=dhcp1
add address=192.168.0.3 client-id=1:ee:c7:e1:c2:88:b0 mac-address=\
    EE:C7:E1:C2:88:B0 server=dhcp1
add address=192.168.0.71 client-id=1:b0:83:fe:58:1c:6f mac-address=\
    B0:83:FE:58:1C:6F server=dhcp1
add address=192.168.0.72 client-id=1:f8:bc:12:7a:f9:3a mac-address=\
    F8:BC:12:7A:F9:3A server=dhcp1
add address=192.168.0.31 comment="AP QC - Ruijie RAP2200E" mac-address=\
    10:82:3D:4D:EE:CE server=dhcp1
add address=192.168.0.32 comment="AP Technical Ruijie RAP2200E" mac-address=\
    10:82:3D:4D:EF:F6 server=dhcp1
add address=192.168.0.75 client-id=1:f4:8e:38:9d:73:44 mac-address=\
    F4:8E:38:9D:73:44 server=dhcp1
add address=192.168.0.202 client-id=1:58:8f:cf:69:b9:7d comment=\
    "Camera IP Canteen" mac-address=58:8F:CF:69:B9:7D server=dhcp1
add address=192.168.0.40 comment="IPC PreWeight" mac-address=\
    B4:36:E3:F1:04:9C server=dhcp1
add address=192.168.0.77 client-id=1:48:f:cf:c0:97:ed mac-address=\
    48:0F:CF:C0:97:ED server=dhcp1
add address=192.168.0.67 client-id=1:e4:54:e8:c7:5e:a8 mac-address=\
    E4:54:E8:C7:5E:A8 server=dhcp1
add address=192.168.0.59 comment="DataColor Instrument" mac-address=\
    00:21:03:80:92:DA server=dhcp1
add address=192.168.0.76 client-id=1:70:b5:e8:5a:c7:78 mac-address=\
    70:B5:E8:5A:C7:78 server=dhcp1
add address=192.168.0.30 client-id=1:a8:5e:45:9a:99:d0 comment=\
    "Asus Wireless Router Office" mac-address=A8:5E:45:9A:99:D0 server=dhcp1
add address=192.168.0.20 client-id=1:b0:22:7a:54:24:ea comment=\
    "Laser Printer HP Color" mac-address=B0:22:7A:54:24:EA server=dhcp1
add address=192.168.0.83 client-id=1:f8:bc:12:7b:6:67 mac-address=\
    F8:BC:12:7B:06:67 server=dhcp1
add address=192.168.0.78 client-id=1:f8:bc:12:99:6d:5d mac-address=\
    F8:BC:12:99:6D:5D server=dhcp1
add address=192.168.0.66 client-id=1:c0:25:a5:c4:14:e mac-address=\
    C0:25:A5:C4:14:0E server=dhcp1
add address=192.168.0.29 client-id=1:4:e:3c:a8:56:e7 mac-address=\
    04:0E:3C:A8:56:E7 server=dhcp1
add address=192.168.0.110 client-id=1:f4:f2:6d:2:96:1 mac-address=\
    F4:F2:6D:02:96:01 server=dhcp1
add address=192.168.0.81 client-id=1:c8:1f:66:29:3:a1 mac-address=\
    C8:1F:66:29:03:A1 server=dhcp1
add address=192.168.0.85 client-id=1:8c:ec:4b:78:b3:10 mac-address=\
    8C:EC:4B:78:B3:10 server=dhcp1
add address=192.168.0.234 client-id=1:28:ee:52:69:57:6 mac-address=\
    28:EE:52:69:57:06 server=dhcp1
add address=192.168.0.86 client-id=1:b0:83:fe:4f:45:f1 mac-address=\
    B0:83:FE:4F:45:F1 server=dhcp1
add address=192.168.0.80 client-id=1:80:ce:62:3a:4b:77 mac-address=\
    80:CE:62:3A:4B:77 server=dhcp1
add address=192.168.0.53 client-id=1:b4:36:e3:d5:29:b9 comment=\
    "IPC Warehouse" mac-address=B4:36:E3:D5:29:B9 server=dhcp1
add address=192.168.0.82 client-id=1:c8:1f:66:43:d:fe mac-address=\
    C8:1F:66:43:0D:FE server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.0.1
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8 gateway=\
    192.168.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=XXXXXXXXXX.sn.mynetname.net list=WAN
/ip firewall filter
add action=accept chain=input comment="Acept IPSec packets" protocol=\
    ipsec-esp
add action=accept chain=input comment="Acept L2TP packet" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment="Accept IKE2 UPD ports 500,4500 IPSec" \
    dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="Accept traffic L2TP VPN to LAN" \
    dst-address=192.168.0.0/24 src-address=10.10.10.0/24
add action=accept chain=input comment="Accept traffic IKE2 VPN to LAN" \
    ipsec-policy=in,ipsec src-address=10.10.11.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    10.10.11.0/24
add action=accept chain=forward comment="Accept traffic PPTP VPN to LAN" \
    dst-address=192.168.0.0/24 src-address=10.10.12.0/24
add action=accept chain=forward comment="Accept traffic to ERP" dst-address=\
    192.168.0.11 dst-port=211 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.11 dst-port=212 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.0.11 dst-port=213 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.0.11 dst-port=213 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.0.11 dst-port=212 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.0.11 dst-port=211 \
    protocol=udp
add action=drop chain=forward comment=\
    "Drop invalid addresses E8:CA:C8:FC:50:6D" disabled=yes src-mac-address=\
    E8:CA:C8:FC:50:6D
add action=drop chain=input disabled=yes src-mac-address=E8:CA:C8:FC:50:6D
add action=drop chain=forward comment="Drop invalid traffic." \
    connection-state=invalid
add action=drop chain=input comment="Drop invalid IPSec Address" \
    src-address-list=Invalid_IPSec
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from 192.168.11.0/24  to ANY" disabled=yes \
    ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    src-address=192.168.11.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from ANY to 192.168.11.0/24" disabled=yes \
    dst-address=192.168.11.0/24 ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="for Time Sync UDP 123" dst-port=\
    123 protocol=udp to-ports=12300
add action=masquerade chain=srcnat comment="for WAN1 Connection" \
    out-interface=pppoe-out-vnpt
add action=masquerade chain=srcnat comment="for WAN2 Connection" \
    out-interface=pppoe-out-viettel
add action=masquerade chain=srcnat comment=\
    "for DVR Camera Apps - HairPin NAT" dst-address=192.168.0.60 dst-port=\
    8888 out-interface=vlan100 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="for DVR Web Apps - HairPin NAT" \
    dst-address=192.168.0.60 dst-port=81 out-interface=vlan100 protocol=tcp \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT for SnipeIT" \
    dst-address=192.168.0.16 dst-port=80 out-interface=vlan100 protocol=tcp \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="for PiHole - Hairpin NAT" \
    dst-address=192.168.0.17 dst-port=80 out-interface=vlan100 protocol=tcp \
    src-address=192.168.0.0/24 to-addresses=192.168.0.17
add action=masquerade chain=srcnat comment="for Proxmox - Hairpin NAT" \
    dst-address=192.168.0.12 dst-port=8006 out-interface=vlan100 protocol=tcp \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="for L2TP VPN connection" \
    ipsec-policy=out,none out-interface=pppoe-out-viettel src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat comment="for PPTP VPN Connection" \
    ipsec-policy=out,none out-interface=pppoe-out-viettel src-address=\
    10.10.12.0/24
add action=masquerade chain=srcnat comment="for IKE2 VPN Connection" \
    ipsec-policy=out,none out-interface=pppoe-out-viettel src-address=\
    10.10.11.0/24
add action=dst-nat chain=dstnat comment="for DVR Camera Apps" \
    dst-address-list=WAN dst-port=49800 protocol=tcp to-addresses=\
    192.168.0.60 to-ports=8888
add action=dst-nat chain=dstnat comment="for DVR Web Apps" dst-address-list=\
    WAN dst-port=49801 protocol=tcp to-addresses=192.168.0.60 to-ports=81
add action=dst-nat chain=dstnat comment="for SnipeIT" dst-address-list=WAN \
    dst-port=49802 protocol=tcp to-addresses=192.168.0.16 to-ports=80
add action=dst-nat chain=dstnat comment="for PiHole" dst-address-list=WAN \
    dst-port=49803 protocol=tcp to-addresses=192.168.0.17 to-ports=80
add action=dst-nat chain=dstnat comment="for Proxmox VM" dst-address-list=WAN \
    dst-port=49804 protocol=tcp to-addresses=192.168.0.12 to-ports=8006

In addition below 4011 router is CRS326 config have vlan trunk on port 1 , and almost untag vlan100 on all other port. Does any mistake with my config ? Pls help me point out , many thanks

# 2024-01-02 14:25:14 by RouterOS 7.12.1
# software id = F4JN-62H2
#
# model = CRS326-24G-2S+
# serial number = XXXXXXXXXXXXXX
/interface bridge
add add-dhcp-option82=yes comment="Bridge Core Switch" dhcp-snooping=yes \
    ingress-filtering=no name=brcoresw vlan-filtering=yes
/interface vlan
add interface=brcoresw name=vlan185 vlan-id=185
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/system logging action
set 1 disk-file-count=3 disk-lines-per-file=4096
/interface bridge port
add auto-isolate=yes bridge=brcoresw comment="Trunk Port" ingress-filtering=\
    no interface=ether1 trusted=yes
add bridge=brcoresw comment="Production Office" ingress-filtering=no \
    interface=ether2 pvid=100
add bridge=brcoresw comment="QC Office - Micronizer" ingress-filtering=no \
    interface=ether3 pvid=100
add bridge=brcoresw comment=DATA26 ingress-filtering=no interface=ether4 \
    pvid=100
add bridge=brcoresw comment="Fuji Xerox 2060 Printer" ingress-filtering=no \
    interface=ether5 pvid=100
add bridge=brcoresw comment="DATA35 - Finance" ingress-filtering=no \
    interface=ether6 pvid=100
add bridge=brcoresw comment="NAS - Ocean" ingress-filtering=no interface=\
    ether7 pvid=100
add bridge=brcoresw comment="Proxmox Server" ingress-filtering=no interface=\
    ether8 pvid=100
add bridge=brcoresw comment="DATA36 - Sales Assistant" ingress-filtering=no \
    interface=ether9 pvid=100
add bridge=brcoresw comment="DATA32 - Wifi Main Office" ingress-filtering=no \
    interface=ether10 pvid=100
add bridge=brcoresw comment="DATA29 - ERP OPS Jason's Desk" \
    ingress-filtering=no interface=ether11 pvid=100
add bridge=brcoresw comment="DATA03 - Technical Office SW" ingress-filtering=\
    no interface=ether12 pvid=100
add bridge=brcoresw comment="DATA14 - DataColor 800 PC" ingress-filtering=no \
    interface=ether13 pvid=100
add bridge=brcoresw comment="DATA15 - DataColor 800 Instrument" \
    ingress-filtering=no interface=ether14 pvid=100
add bridge=brcoresw comment="DATA13 - RD Switch - Thong's Desk" \
    ingress-filtering=no interface=ether15 pvid=100
add bridge=brcoresw comment="Security Front Gate" ingress-filtering=no \
    interface=ether16 pvid=100
add bridge=brcoresw comment="DATA33 - Jackie's Desk" ingress-filtering=no \
    interface=ether17 pvid=100
add bridge=brcoresw comment="Warehouse SW" ingress-filtering=no interface=\
    ether18 pvid=100
add bridge=brcoresw comment="DATA34 - Finance Supervisor" ingress-filtering=\
    no interface=ether19 pvid=100
add bridge=brcoresw ingress-filtering=no interface=ether20 pvid=100
add bridge=brcoresw comment="DATA27 - Main Office - QA" ingress-filtering=no \
    interface=ether21 pvid=100
add bridge=brcoresw comment="DATA01 - Reception" ingress-filtering=no \
    interface=ether22 pvid=100
add bridge=brcoresw comment="Untag to Core Switch 2" ingress-filtering=no \
    interface=ether23 pvid=100
add bridge=brcoresw interface=ether24
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=brcoresw tagged=ether1,ether24 untagged="ether2,ether3,ether4,ether\
    5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ethe\
    r15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23" \
    vlan-ids=100
add bridge=brcoresw tagged=ether1,ether24,brcoresw vlan-ids=185
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.185.2/24 comment="Management Interface" interface=vlan185 \
    network=192.168.185.0
/ip dns
set servers=192.168.0.17,8.8.8.8
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.185.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=49091
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Asia/Bangkok
/system identity
set name=Core-Switch
/system logging
add action=disk topics=error
add action=disk topics=critical
add action=disk topics=info
add action=disk topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.0
add address=162.159.200.1
/system routerboard settings
set boot-os=router-os
/tool romon
set enabled=yes

Do you have an input rule from your LAN to the Mikrotik? Looking at your rule base, that doesn’t seem to be the case.

Can you post the outputs of the following commands?

/ip firewall/filter/print where chain=input
/ip firewall/filter/print where chain=forward
/ip firewall/filter/print where chain=output

Thank you for for comment, here the result on the router:

/ip firewall/filter/print where chain=input
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Acept IPSec packets
      chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    ;;; Acept L2TP packet
      chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix="" 

 2    ;;; Accept IKE2 UPD ports 500,4500 IPSec
      chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix="" 

 3    ;;; Accept traffic IKE2 VPN to LAN
      chain=input action=accept src-address=10.10.11.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 

 4 X  chain=input action=drop src-mac-address=E8:CA:C8:FC:50:6D log=no log-prefix="" 

 5    ;;; Drop invalid IPSec Address
      chain=input action=drop src-address-list=Invalid_IPSec log=no log-prefix=""

/ip firewall/filter/print where chain=forward
Flags: X - disabled, I - invalid; D - dynamic 
 6    ;;; Accept traffic L2TP VPN to LAN
      chain=forward action=accept src-address=10.10.10.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

 7    chain=forward action=accept src-address=10.10.11.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

 8    ;;; Accept traffic PPTP VPN to LAN
      chain=forward action=accept src-address=10.10.12.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

 9    ;;; Accept traffic to ERP
      chain=forward action=accept protocol=tcp dst-address=192.168.0.11 dst-port=211 log=no log-prefix="" 

10    chain=forward action=accept protocol=tcp dst-address=192.168.0.11 dst-port=212 log=no log-prefix="" 

11    chain=forward action=accept protocol=tcp dst-address=192.168.0.11 dst-port=213 log=no log-prefix="" 

12    chain=forward action=accept protocol=udp dst-address=192.168.0.11 dst-port=213 log=no log-prefix="" 

13    chain=forward action=accept protocol=udp dst-address=192.168.0.11 dst-port=212 log=no log-prefix="" 

14    chain=forward action=accept protocol=udp dst-address=192.168.0.11 dst-port=211 log=no log-prefix="" 

15 X  ;;; Drop invalid addresses E8:CA:C8:FC:50:6D
      chain=forward action=drop src-mac-address=E8:CA:C8:FC:50:6D log=no log-prefix="" 

16    ;;; Drop invalid traffic.
      chain=forward action=drop connection-state=invalid log=no log-prefix=""

 /ip firewall/filter/print where chain=output
Flags: X - disabled, I - invalid; D - dynamic

Your rules are seriously messed up and do not contain the usual elements (established, fasttrack…) however they don’t end in drop all so everything is accepted (hint: bad).

Reading your configurations:

• I do not see any definition for the vlans in the bridge (/interface bridge vlan) of your RB4011, which could be normal if you are not using vlan-filtering.
• This NAT is problematic, you are changing the source IP to the same as the destination IP

add action=masquerade chain=srcnat comment="for PiHole - Hairpin NAT" \
    dst-address=192.168.0.17 dst-port=80 out-interface=vlan100 protocol=tcp \
    src-address=192.168.0.0/24 to-addresses=192.168.0.17

• You have static leases bound to a server that no longer exists (search for server=*1)
• This NAT is problematic, it catches ALL NTP packets, regardless

add action=masquerade chain=srcnat comment="for Time Sync UDP 123" dst-port=\
    123 protocol=udp to-ports=12300

There are other small issues but nothing that would explain why you can’t get access to the Internet. Can you do the following:

• Check on your router that you actually see the leases being bound to your clients
• Look at the connection table (/ip firewall connection/print) and determine if you see connections from 192.168.0.0/24 to the internet, and if so look at the detailed table to determine whether the reply-dst-address corresponds to the interface of WAN1
• If you don’t see any connections from 192.168.0.0/24 in your connection table, check if your clients have the right gateway and an ARP entry for that gateway.

First of all, many thanks to your point of the firewall. I will find a good practice to make it more secure.
Secondly, to answer your question:

• Yes I do not use vlan filtering on the router, all vlan process on the switch CRS326, only tagged traffic to eth10 sent to the switch and it will process it all.
  The connection most of the PC is ok but sometime for some reason it decide not to go online even local IP has been leased.

Edit: I’m thinking maybe there is other rouge dhcp on the network that lease the address but i can’t find one. strange things even i see the leased ip being bound to client, and get all the DNS setting of my dchp but still can not get online, i have to release and renew for a few times then it can go online.

Then you may consider creating the VLAN as subinterfaces of the ethernet port directly, instead of going through a VLAN interface/bridge/bridge port.

That would indeed be an issue, and that is the reason I asked you to check whether you see the leases being bound. A possible way is to sniff the traffic and generate a DHCP request (or more), and see what MAC responds. Another possibility is to set DHCP snooping to yes on your internal switch and trust only the port that goes to the router.

That indeed is what i’ve changes to direct eth10 , not going to a brigde anymore. I’ve seen to tutorial video on youtube and think that i can get an interface to a brigde and set vlan on that bridge but that seem to be not very correct with my previous setup.

Indeed i’ve already setup dhcp snooping on crs326 bridge and trusted only trunk interface, but still not a clues what causing the problem, only a few random user facing this problem but still trying to find the root cause.
Many thanks for your help. really appreciate it.