It appears to be a confused setup and probably some simplification will help.
A. create vlan for IOT - need full dhcp settings for this (vlan interface is bridge)
B. create vlan for Normal traffic - keep current dhcp settings for this (vlan interface is bridge)
C> remove bridge from dhcp service
Then having all interfaces on bridge make sense.
For all interfaces where the end device is not smart like a PC, becomes an access port and PVID setting for the particular VLAN
For all interfaces where the end device is smart like a switch, becomes a trunk port
Assign bridge ports and Bridge Vlans as applicable.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 is your best reference.
Needs adjusting
/interface vlan
add interface=ether2 name=IOT20 vlan-id=20
add interface (for normal LAN) name=houselan vlan-id=101 for example
/ip dhcp-server
add pool for IOT
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 [If trunk - ingress filtering = yes]
add bridge=bridge comment=defconf interface=ether3 [If access frames allowed priority and untagged]
add bridge=bridge comment=defconf interface=ether5 [If access frames allowed priority and untagged]
add bridge=bridge comment=defconf interface=sfp1 ???
where is ether 7 bridge port???
add bridge=bridge interface=ether4 [If access frames allowed priority and untagged]
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=
192.168.4.0
Suggested improvements!
The default input chain lets ALL users access the router. Only the admin needs that while all LAN users may need only specific services DNS, NTP come to mind.
On the forward side, the NAT rule is combined with blocking wan traffic. I prefer to separate them out and thus a NAT rule doesnt have to be included. Also the use of drop all else rules means one only has to be concerned with admin user rules where one KNOWS what traffic is to be permitted.
/ip firewall filter
{input chain}
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN**{forward chain}**
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
Becomes:
/ip firewall filter
{input chain}
add action=accept chain=input comment=“allow admin access” \ ***
in-interface=vlan101 src-address-list=admin access
add action=accept (ONE FOR TCP, ONE FOR UDP, in-interface-list=LAN dst-port 53)
add action=drop comment=“Drop all else” CAUTION! this rule should only be added when admin access rule above is in place!!!
*** Firewall address list
add address=IP of admin desktop list=adminaccess
add address=IP of admin laptop list=adminaccess
add address=IP of admin ipad etc… list=adminaccess
in-interface-list=!LAN
{forward chain}
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN [becomes optional]
add action=drop comment=“drop all else” ( stops all wan to lan traffic, all routing between vlans, and anything else you were not aware of )