No internet access on Vlan

Hello, I’m just learning so all hints about the current configuration welcome I’m learning how to do Vlans and overall I think I’ve configured everything the way I’d like, I have vlan 30 and I’d like it to be something like a DMZ zone. I have separated a file server and a private web server into this vlan. Unfortunately both servers do not have internet access. How would you guys be able to advise what to improve / fix in my configuration I would be very grateful. Device is hAP ax3

/interface bridge
add admin-mac=78:9A:18:36:14:DF auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Poland \
    .mode=ap .ssid=UberNet disabled=no security.authentication-types=wpa2-psk,wpa3-psk
add configuration.hide-ssid=no .mode=ap .ssid=UberNetIoT disabled=no mac-address=7A:9A:18:36:14:E5 master-interface=wifi2 name=\
    "wifi2 IoT" security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Poland \
    .mode=ap .ssid=UberNet5 disabled=no name=wifi5 security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=bridge name="vlan20 - iot" vlan-id=20
add interface=bridge name="vlan30 - dorsz" vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DmZ
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="DHCP IoT" ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool="DHCP IoT" interface="vlan20 - iot" name=dhcp1-Iot
add address-pool=dhcp_pool2 interface="vlan30 - dorsz" name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=30
add bridge=bridge comment=defconf interface=wifi5
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="wifi2 IoT" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface="vlan30 - dorsz" list=DmZ
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.20.1/24 interface="vlan20 - iot" network=192.168.20.0
add address=192.168.3.1/24 disabled=yes interface=*D network=192.168.3.0
add address=192.168.30.1/24 interface="vlan30 - dorsz" network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.224 client-id=1:a8:86:dd:b5:17:cd mac-address=A8:86:DD:B5:17:CD server=defconf
add address=192.168.88.111 client-id=1:a8:a1:59:ee:4f:cc mac-address=A8:A1:59:EE:4F:CC server=defconf
add address=192.168.20.3 mac-address=C8:2B:96:54:48:3C server=dhcp1-Iot
add address=192.168.20.4 mac-address=84:0D:8E:77:41:8B server=dhcp1-Iot
add address=192.168.20.6 client-id=1:0:80:64:df:c4:1e mac-address=00:80:64:DF:C4:1E server=dhcp1-Iot
add address=192.168.20.2 mac-address=C4:4F:33:B3:97:76 server=dhcp1-Iot
add address=192.168.20.7 mac-address=2C:F4:32:AA:A2:0F server=dhcp1-Iot
add address=192.168.20.8 mac-address=FC:F5:C4:86:FA:B9 server=dhcp1-Iot
add address=192.168.20.9 mac-address=50:02:91:B8:60:FA server=dhcp1-Iot
add address=192.168.30.2 client-id=1:0:11:32:40:51:4c mac-address=00:11:32:40:51:4C server=dhcp1
add address=192.168.30.3 client-id=ff:bc:92:b3:ba:0:2:0:0:ab:11:3c:51:6a:14:85:56:c4:2 mac-address=DC:A6:32:7F:A1:E5 server=dhcp1
/ip dhcp-server network
add address=192.168.20.0/24 comment=IoT dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="Vlan port forwarding" connection-nat-state="" disabled=yes dst-address=192.168.30.0/24 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Vlan 30 internet access" out-interface="vlan30 - dorsz"
add action=dst-nat chain=dstnat comment="Minecraft server forward" dst-port=24465 protocol=tcp to-addresses=192.168.30.3 to-ports=\
    24465
add action=dst-nat chain=dstnat comment="Dorsz Drive" dst-port=6690 protocol=tcp to-addresses=192.168.30.2 to-ports=6690
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3

YOur config is not correct yet.
Read through… http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

First decide if you need vlans.
If you have enough ports that you dont need vlans.
Keep the bridge and ditch the vlans and put subnet iot on etherX and subnet dorsx on another ethport.

OR
All vlans
meaning take the subnet off the responsibilty of hte bridge and create a third vlan, with interface bridge like the other vlans.

I have read and just based on the config provided in this thread. I wanted a Vlan because I wanted different addresses and then easily separate that with a firewall, I read that a Vlan would be best for just that. As for the DNS not working I added

add action=accept chain=input comment="DorszDNS" in-interface="vlan30 - Dorsz"

Now I have access to the Internet and DNS from the level of Vlan 30. And I will rather choose the option to put everything on Vlan, I bought this equipment typically for learning Can you give me a hint on how I can have bridge under vlan?

Yeah, I linked the appropriate document. Not as good but also available… https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table

Videos For setting up MT
https://www.youtube.com/watch?v=pdpFAxwocTo&t=467s

MT part1- https://www.youtube.com/watch?v=US2EU6cgHQU&t=299s

MT part2- https://www.youtube.com/watch?v=YMwOrc0LDP8