Will echo TDW in most respects
1. Leave bridge default to pvid=1 and remove ingress filtering for now (I dont use it at my place for my bridge)
/interface bridge
add
ingress-filtering=yes name=Bridge
pvid=10 vlan-filtering=yes
/interface bridge
add name=Bridge
pvid=1 vlan-filtering=yes
2. No need to make an interface list of VLAN as you already have LAN. You also have firewall rules where you identify LAN but have no corresponding member identification.
So......
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=PrivateVLAN list=
VLAN
add interface=GuestVLAN list=
VLAN
To
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=PrivateVLAN list=
LAN
add interface=GuestVLAN list=
LAN
3. Your firewall rules are missing some default rules that you should have and perhaps denying some services to the guest LAN!!
Should look like this....
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Router-ACCESS only for ADMIN" in-interface=PrivateVLAN
source-address-list=AdminAccess (note)
add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=tcp connection-state=new
add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=udp connection-state=new
add action=drop chain=input comment=Drop
Note: Create a firewall address list of all the devices you would use to access and config the router, Desktop, laptop, ipad etc.........
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlan access" in-interface=PrivateLAN out-interface=GuestLAN source-address-list=AdminAccess
add action=drop chain=forward comment=Drop
I removed this rule because I dont understand its purpose nor how it works, what affects it may have. Lets get a clean config working before getting TOO FANCY!
add action=accept chain=forward comment="Allow Reverse Proxy Access" connection-state=! dst-address=192.168.88.9 in-interface-list=\
VLAN
4. Your Sourcenat rule is incomplete!
From
/ip firewall nat
add action=masquerade chain=srcnat comment=SrcNAT
To
/ip firewall nat
add action=masquerade chain=srcnat
out-interface=pppoe-out1
Again I would remove the reverse proxy rule here as well as I dont understand its purpose or effects on the config.
5. NOW TO THE MEAT OF VLANS lol.
Looking at your diagram tells me that you have one server that is the root cause of reverse proxy and hairpin nat etc............
I think a better way to manage this would be the following, EASY PEASY, just put the server on a different subnet and you no longer need hairpin NAT!!!!
Vlan30 (for the server) and call it VLANServer
DHCP for this vlan
Address for vlan
pool for vlan
DHCP network for VLAN
If the Server has different requirements than the private LAN and Guest VLAN, for example does the server need access to the internet (will traffic Actually originate and start at the server and head out to the internet or will it only respond to requests?? Will the SERVER need DNS services???
I would consider adding back your VLAN interface member and only assign the Server VLAN to it, so that you have some additional flexibility in firewall rules once you make this requirement clearer!!!
add VLANServer list=VLAN
6. From the diagram, it seems clear that we have a trunk port on eth2 and eth3 to Ubiquiti access points to handle both vlans, 20,10. I am not sure how ubiquiti handles the default vlan1 and they both could be hybrid ports but lets go on the assumption that they act like other vendors. or possibly a hybrid port on ether2, to the ubiquit access point as they are strange beasts.
Ether 4 is an access port on the Server VLAN, untagged, ether5,6,7 are access ports on the private vlan, untagged.
The only ports for the guest vlan are wifi ports.
modify to as follows...............
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3 untagged=ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
add bridge=Bridge tagged=Bridge untagged=eth4 vlan-ids=30
7. This works for me in terms of wifi using TPLINK access points and MT access points but unsure of Ubiquite.
In all cases I set the working LANIP of the devices to be that on the MAIN network in this case the private LAN network.
Your best bet is to get the mac addresses of both ubiquiti units and go to the router and add them as devices with those mac addresses and assign unused fixed IPs from the private vlan.
Then go into the ubiqui units and assign them manually those fixed LANIPs as their LAN address.
So I read this......
https://help.ui.com/hc/en-us/articles/219654087
What a mess....... do you use a controller app or program to config these access points? If so is it done from your computer?
Apparently they need an untagged vlan for controlling...........Gets annoyingly complex. They do state aftewards you can move to a tagged vlan for control.........pfffft
Okay what I would do is create vlan99 - ControllerLAN
dhcp / pool /, dhcp network,/address, / and add to bridge as an interface, it will only be noted at follows
/interface bridge port
add bridge=Bridge comment=defconf ingress filtering=yes interface=ether2 pvid=99
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3 pvid=99
YOu could but not necessary add the following line to the bridge vlan config (it is done auto in the background by the router but I like to see it in the config so everything is plainly visible)
add bridge=Bridge tagged=Bridge untagged=eth2,eth3 vlan-ids=99
Then you should be able to use the controller on the private network to access the Access points.
Assuming the controller is on your PC (firewall forward filter rule)
add action=accept chain=forward in-interface=private lan source-address=AdminAccess out-interface=ControllerLAN
8. Almost forgot your destination nat rule can simply be (
AND MISSING PORT NUMBER ON ORIG CONFIG!!)
add action=dst-nat chain=dstnat comment="serveraccess" dst-address-list=PUBLIC-IP protocol=tcp
port=???? to-addresses=192.168.
30.9
9. MISSING FIREWALL RULE TO ALLOW PORT FORWARDING.
add action=accept chain=forward comment=Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN