vlans and hybrid ports problem.

Hello.
The configuration is based on bridge VLAN-Filtering.
Everything works fine but i notice 2 problems:

1. If i conect at any vlan-10 access port and open winbox shows all the Mikrotik devices in vlan10-test 192.168.10.0/24 subnet only.
   Afrter some time shows one more device 192.168.88.245 that is the device physical interface i am connected to mac address and bridge-trunk ip address, and i can connect to it by mac address
   not by ip.

2. If i conect at any bridge-trunk hybrid port and open winbox shows all the Mikrotik devices in bridge-trunk 192.168.88.0/24 subnet only.
   Afrter some time shows also all Mikrotik devices that are in vlans i can connect to them by mac address not by ip.

Some time i mean is not standar… 5 minutes to 1 hour.
How i can prevent that 2 problems???

# model = CRS326-24G-2S+
/interface bridge
add name=bridge-hub protocol-mode=none
add name=bridge-local protocol-mode=none
add dhcp-snooping=yes name=bridge-trunk protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 Router"
set [ find default-name=ether2 ] name="ether2 ER-X"
set [ find default-name=ether6 ] name="ether6 PC"
/interface vlan
add interface=bridge-trunk name=vlan10-test vlan-id=10
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool-local ranges=192.168.0.100-192.168.0.200
/ip dhcp-server
add address-pool=pool-local interface=bridge-local lease-time=10m name=\
    server-local
/ip smb users
set [ find default=yes ] disabled=yes/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge-trunk hw=no interface="ether1 Router" trusted=yes
add bridge=bridge-trunk hw=no interface="ether2 ER-X" pvid=10
add bridge=bridge-trunk hw=no interface=ether3
add bridge=bridge-trunk hw=no interface=ether4
add bridge=bridge-trunk hw=no interface=ether5 pvid=10
add bridge=bridge-trunk hw=no interface="ether6 PC" pvid=10
add bridge=bridge-trunk hw=no interface=ether7 pvid=10
add bridge=bridge-trunk hw=no interface=ether9 pvid=10
add bridge=bridge-hub interface=ether21
add bridge=bridge-hub interface=ether22
add bridge=bridge-local interface=ether23
add bridge=bridge-local interface=ether24
add bridge=bridge-hub interface=ether19
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-trunk tagged="bridge-trunk,ether1 Router,ether3,ether4" \
    vlan-ids=10
add bridge=bridge-trunk tagged="ether1 Router,ether3,ether4" vlan-ids=20
/ip address
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
add address=192.168.10.3/24 interface=vlan10-test network=192.168.10.0
/ip dhcp-client
add default-route-tables=main interface=bridge-trunk
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-trunk
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="my Switch"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=gr.pool.ntp.org

Based on your config I have no clue what your are doing.
Vlan filtering typically has one bridge you have two??

Is this device supposed to be acting as a router or a switch?
I suspect a switch because its a switch LOL, and also by ethernet1, I assume that is a trunk port to the upstream router.
IF so, then why is there any DHCP on this device??

Please read the following it has switch case included: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Also this: https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1126s&pp=0gcJCU8JAYcqIYzv

/ip neighbor discovery-settings
set discover-interface-list=all

You need to decide which VLAN is your trusted VLAN and create special interface list for it, for eg. mgmt.

Then you can set your discovery list to mgmt instead of all.

Also set your allowed interface list for winbox server to mgmt.

Then only devices that are on trusted vlan will be discovered and your device will be accessible only from that vlan.

Now I will leave you in the hands of @anav here which have few comments about your vlan configuration.

Thank you all for your replay!
Vlan filtering is only in bridge-trunk.
So… main purpose of the device is for home and office use plus some tests (bridge-hub and bridge-local).
i preffer to keep access to device from all networks, i trust them all, everything is behind a main Mikrotik router!!!
At main mikrotik router is exaclly the same problem!!
I will check the suggestions from anav!

Never trust everybody or, in your case every device. Especially IoT devices. It doesn’t matter they are behind another Mikrotik.

Once they phone home connection is established and they can and will send data back (my washing machine once send 100 MB of data home…)