/caps-man channel
add band=2ghz-g/n name="Auto 2,4GHz"
add band=5ghz-a/n/ac name="Auto 5GHz"
/interface bridge
add admin-mac=C4:AD:34:85:10:A5 auto-mac=no fast-forward=no name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Orion (Optika)"
set [ find default-name=ether10 ] comment="Wireless Internet (Backup)"
set [ find default-name=sfp1 ] comment="TRUNK Cisco"
/interface pppoe-client
add disabled=no interface=ether10 name="Wireless net" user=spajz
/interface ipip
add local-address=178.219.10.134 name="SPAJZ Centrala" remote-address=\
95.140.124.94
/interface vlan
add comment=Data interface=bridge name=vlan10 vlan-id=10
add comment=Voip interface=bridge name=vlan20 vlan-id=20
add comment=Management+Securitry interface=bridge name=vlan30 vlan-id=30
add comment=Gosti interface=bridge name=vlan254 vlan-id=254
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
Firma vlan-id=10 vlan-mode=use-tag
add bridge=bridge name=Gosti vlan-id=254 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=Gosti
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=Firma
/caps-man configuration
add channel="Auto 2,4GHz" country=serbia datapath=Firma mode=ap name=\
"Firma 2,4GHz" security=Firma ssid="SPAJZ D.O.O. 2,4GHz"
add channel="Auto 2,4GHz" country=serbia datapath=Gosti mode=ap name=Gosti \
security=Gosti ssid=Gosti
add channel="Auto 5GHz" country=serbia datapath=Firma mode=ap name=\
"Firma 5GHz" security=Firma ssid="SPAJZ D.O.O. 5GHz"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.5.50-192.168.5.200
add name=dhcp_pool1 ranges=192.168.20.50-192.168.20.150
add name=dhcp_pool2 ranges=192.168.33.50-192.168.33.100
add name=dhcp_pool3 ranges=192.168.254.2-192.168.254.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=vlan10 \
lease-time=1d name=Data
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=vlan20 \
lease-time=1d name=VoIP
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=vlan30 \
lease-time=1d name=Security+Management
add add-arp=yes address-pool=dhcp_pool3 disabled=no interface=vlan254 \
lease-time=1d name=Gosti
/interface sstp-client
add connect-to=securitron.dyndns-work.com disabled=no name="VPN Securitron" \
profile=default-encryption user=Spajz_VelikiMagacin
/queue tree
add comment=Gosti max-limit=10M name=download packet-mark=download-vlan254 \
parent=vlan254 queue=pcq-download-default
add comment=Gosti max-limit=5M name=upload packet-mark=upload-vlan254 parent=\
vlan254 queue=pcq-upload-default
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.20.20.0/24 authentication-protocol=SHA1 name=private \
security=private write-access=yes
/system logging action
add name=Remote remote=10.20.20.254 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
signal-range=-78..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
signal-range=-120..-79 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=vlan30
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
"Firma 2,4GHz" name-format=identity slave-configurations=Gosti
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
"Firma 5GHz" name-format=identity
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=30
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=sfp1,bridge untagged=\
ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10
add bridge=bridge tagged=bridge,sfp1 untagged=ether8 vlan-ids=30
add bridge=bridge tagged=sfp1,bridge vlan-ids=20
add bridge=bridge tagged=sfp1,bridge vlan-ids=254
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=vlan30 list=LAN
add interface=ether1 list=WAN
add interface=ether10 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan254 list=LAN
/ip address
add address=192.168.33.1/24 interface=vlan30 network=192.168.33.0
add address=192.168.5.1/24 interface=vlan10 network=192.168.5.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.254.1/24 interface=vlan254 network=192.168.254.0
add address=178.219.10.134/30 interface=ether1 network=178.219.10.132
add address=13.0.0.2/30 interface="SPAJZ Centrala" network=13.0.0.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.33.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.33.1
add address=192.168.254.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.254.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
add action=drop chain=input dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=vlan254 new-packet-mark=\
upload-vlan254 passthrough=yes
add action=mark-packet chain=prerouting in-interface=ether10 new-packet-mark=\
download-vlan254 passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=vlan254-routing \
packet-mark=upload-vlan254 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.3.0/24 \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.5.0/24 \
to-addresses=13.0.0.2
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
"VPN Securitron"
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
udp to-addresses=192.168.5.251 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.251 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
udp to-addresses=192.168.5.252 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.252 to-ports=8000
/ip route
add comment=Gosti disabled=yes distance=2 gateway="Wireless net" \
routing-mark=ISP2
add check-gateway=ping distance=1 gateway=178.219.10.133
add distance=2 gateway="Wireless net"
add comment="Centrala Data" distance=1 dst-address=192.168.3.0/24 gateway=\
"SPAJZ Centrala"
add comment="Centrala CCTV" distance=1 dst-address=192.168.37.0/24 gateway=\
"SPAJZ Centrala"
/ip route rule
add action=lookup-only-in-table disabled=yes interface=vlan254 table=ISP2
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=vlan30
/ip upnp
set show-dummy-rule=no
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd pin
set pin-number=1910
/snmp
set contact="Milan Rankovic" enabled=yes location=\
"Spajz Veliki Magacin/Ruter" trap-community=private trap-generators=\
interfaces,start-trap,temp-exception trap-interfaces=all trap-target=\
10.20.20.254 trap-version=3
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="Ruter Spajz Magacin 7000"
/system logging
add action=Remote prefix=Spajz_Veliki_Magacin-Ruter topics=critical
add action=Remote prefix=Spajz_Veliki_Magacin-Ruter topics=error
/system note
set note="###########################################################\
\n# S E C U R I T R O N #\
\n# Dobrodosli u CLI #\
\n# #\
\n# SVE KONEKCIJE SU PRACENE I SNIMLJENE #\
\n# Diskonektujte se ODMAH ako niste autorizovan korisnik! #\
\n# #\
\n# support: NEMANJA@SECURITRON.RS #\
\n###########################################################"
/system ntp client
set enabled=yes primary-ntp=162.159.200.123
/system scheduler
add interval=1w name="FTP Remote Backup enscripted" on-event=\
"FTP Remote Backup enscripted" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/09/2020 start-time=03:00:00
add interval=15m name="DynuDNS update" on-event="DynuDNS update" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/10/2021 start-time=17:24:53
/system script
add dont-require-permissions=yes name="FTP Remote Backup enscripted" owner=\
nemke policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Script for backup of device data\r\
\n\r\
\n:global ime;\r\
\n:global ver;\r\
\n:global full;\r\
\n:global path;\r\
\n:set ime \"\$[/system identity get name]\";\r\
\n:set ver \"\$[/system package get number=0 version]\";\r\
\n:set full \"\$ime-\$ver.backup\";\r\
\n:set path \"/Backup/Uredjaji/Network/Spajz/Magacin7000/\$full\";\r\
\n\r\
\n# Create Backup file\r\
\n/system backup save encryption=aes-sha256 name=\"\$ime-\$ver\" password=\
Mephisto1910\r\
\n\r\
\n:log info \" Local Backup Created Successfully\"\r\
\n\r\
\n# delay time to finish the create \r\
\n:delay 10s\r\
\n\r\
\n# Upload backup file to FTP server.\r\
\n\r\
\n/tool fetch address=10.20.20.254 src-path=\"\$ime-\$ver.backup\" \\\r\
\nuser=mikrotik mode=ftp password=mikrotik1910 \\\r\
\ndst-path=\$path upload=yes port=21\r\
\n\r\
\n:log info \"Backup Uploaded Successfully\"\r\
\n\r\
\n# delay time to finish the upload\r\
\n:delay 10s\r\
\n\r\
\n# Delete created backup files once they have been uploaded\r\
\n# So they don't accumulate and fill up storage space on the router\r\
\n\r\
\n/file remove [find name~\".backup\"]\r\
\n\r\
\n:log info \"Local Backup File Deleted Successfully\""
add dont-require-permissions=yes name="DynuDNS update" owner=nemke policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=\"https://api.dynu.com/nic/update\\\?user ... rabe&hostn\
ame=spajzmagacin7000.dynuddns.com&password=34564024978dc5bbe824e27b6dd15c7\
928f8ce65c22f3837895e589807af0882\""
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=10.20.20.0/24
/tool graphing queue
add allow-address=10.20.20.0/24
/tool graphing resource
add allow-address=10.20.20.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no interface=vlan30

Its been like forever, I grew a beard, while waiting
Sorry wasn't be in office

I will a have a look at the config, confession capsman I know nothing about.

(1) You could remove all the vlan members of the lan and just use the bridge
add interface=bridge list=LAN
Done

(2) Your PPPOE name has to be on the WAN interface members list.
add interface=Wireless Internet list=WAN
Done

(3) WARNING! You are missing a defaut firewall rule that protects ones Router on the input chain!
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input in-interface-list=!LAN

Aded

(4) Unless using the MT app, I would set these to none.
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

(5) You can set this rule to NONE.
/tool mac-server
set allowed-interface-list=LAN

(6) Now to look at your bridge and vlan settings!!
{bridgeports}
a. it looks like you are sending VLAN10 to etherports 2-7 as access ports to dumb devices!b Yes
b. it looks like you are sending VLAN30 to etherport 8 as an access port to a dumb device Yes
c. it looks like your sending a bunch of vlans to SFP1 as a trunk port to a smart device that can read vlan tags Yes
{vlan filtering}
d. nicely done, confirms the above.......... On SFP1 iz Cisco Gigabit switch so Trunk port is used to distribute all using vlan-s

Other recommendations:

(7) Forward firewall chain.......
Change this one rule that tries to do two things but is actually inefficient once one starts changing the config with additional requirements!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

To this!
add action=allow chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"


This accomplishes all the initial rule did plus more!
a. it still allows port forwarding as an allow rule by itself, so its clearer and if one didnt need port forwarding they could disable or remove it.
b. it stops all wan to lan traffic like the initial rule BUT BUT also stops all LAN to WAN and LAN to LAN traffic. *****

***** So now you should realize two things.
i. You no longer need rules to block traffic between vlans/subnets, it is already accomplished, so you can get rid of these two rules no longer needed:
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
add action=drop chain=input dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
Only ghestd vlan need to unabte to accesss or ping other vlan... Other vlan can communicate one to other, over RR3011 (L3)

ii. The last drop all rule also stop internet access so to enable it (and if all the vlans need it then its simple)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

If, for example you only wanted 3/4 vlans to get internet what I would do is create another interface list call ie Allow-Net
add interface=vlanXX list=Allow-Net
add interface=vlanYY list=Allow-Net
add interface=vlanzz list=Allow-Net

iii. If you, as admin, are on the management net .254 and want to be able to access all VLANs from that net then you will need to add before the drop all last rule ........
add action=accept chain=forward in-interface=vlan254 out-interface-list=LAN

(8) Lastly speaking about management net, I am not sure of its purpose.
but right now with the default rules everybody on the LAN can access the router adn that generally is a bad practice.
Suggesting that you narrow that down to at least the management net IF that is where you will want to be able to access the router from.
Often as admin you may log into any vlan at any point in time and from there want to be able to log into the router.

So you need to state the requirements clearly and then I can help you set that up so it makes sense.

Okay, then repost the config so I am working with the exact config you have now........