OK, if you are using hardware VLAN switching see
https://help.mikrotik.com/docs/display/ ... upExamples and
https://wiki.mikrotik.com/wiki/Manual:Switch_Router. I can't comment on the video (I'm not going to waste time watching it), but many third-party videos and guides are either outdated, not optimal, or just incorrect.
Under
/interface vlan you should reference the parent bridge (
BR1), not the child interfaces (
ether2).
For traffic from the switch chip to the CPU you have to include the
switch1-cpu port in the configuration under
/interface ethernet switch vlan. If you are just switching traffic between ports you do not need
/interface vlan entries for them - the home and guest entries are likely redundant in your setup.
Other than that the current settings are ether2: 10,100,200 tagged; ether3: 100 untagged; ether4: 200 untagged & 100 tagged.
As noted in the documentation "For devices with QCA8337 and Atheros8327 switch chips a default
vlan-header=leave-as-is should be used. When
vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as
vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only
default-vlan-id frames are untagged at the egress of port."
You have configured the DHCP server on ether1, there is none on the "wan" VLAN.
If the Mikrotik is really connected to 108.20.x.x public address having firewall rules would be a good idea.