No internet on VLAN/Other devices when the switch can ping google's DNS

RouterOS Beginner Basics
11

Aside from the fact that the devices is not suitable to act as NAT gateway for Gbps internet, the configuration posted in the OP has several issues:

  • vlan-filtering=yes is missing on the bridge.

  • Device is still using the very old version 7.6, and declares the two interfaces NetworkDevices and NutterDevices, but under /interface bridge vlan the bridge is not listed in the tagged list of VLAN 10 and 40. If you want to be lazy and omit that, then you'll need to upgrade RouterOS to the recently released versions, where that will be done automatically for you.

  • Port ether2 has pvid=10 and frame-types=admit-all, but under /interface bridge vlan is listed in the tagged list of VLAN 10.

    • If you want ether2 to be access port of VLAN 10, then you must remove it from the tagged list and it it to the untagged list (optional, RouterOS can also do it automatically for you).

    • But if you want VLAN 10 to be tagged on that port, then EITHER set frame-types=admit-only-vlan-tagged on ether2 (make it trunk port only); OR keep frame-types=admit-all but change pvid=1 (ether2 will be hybrid port).

  • VLAN 40 has no port assigned.

  • The bridge interface that appears to be your WAN interface (quite questionable setup) should be in the interface list WAN and not LAN. Create an interface list WAN and move the bridge to it.

  • Port ether2 doesn't need to be in the LAN interface list.

  • You have wrong and redundant masquerade rules, remove all and only keep:

    /ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

  • Where are the firewall filter rules protecting your router and the LAN?

About how to configure VLAN, read the official docs, including the examples. If you don't know the several VLAN terms, read this often linked guide, the first post explains the concepts.

If you want to secure your firewall, apply the defconf firewall rules that come with MikroTik's SOHO devices here (use the rules for RouterOS 7).

Further, you should not use the whole bridge as WAN interface. Assuming ether7 is the port connected to the ISP, you should do the following modifications (after having upgraded RouterOS and fixing the VLAN configuration):

  • Set pvid=1000 on ether7 (or any number of your choice between 2-4094 excluding 10 and 40).
  • Under /interface vlan create VLAN interface vlan-wan with bridge as parent with the VLAN ID above.
  • Add vlan-wan to WAN interface list that you've created above.
  • Modify the DHCP client instance to use vlan-wan as interface instead of bridge.