Sorry I dont review PCUNITE format LOL. Thus looked at the real config.
# model = RB5009UG+S+
# serial number =
REMOVED FOR SECURITY REASONS
/interface bridge
add name=BR1 protocol-mode=none
vlan-filtering=YES {
ADDED AS LAST CONFIG ENTRY}
/interface vlan {
removed VLAN 40 as it was not entered anywhere but here }
add interface=BR1 name=MANAGEMENT_VLAN vlan-id=80
add interface=BR1 name=HOME_VLAN vlan-id=100
add interface=BR1 name=VICO_VLAN vlan-id=104
add interface=BR1 name=WORK_VLAN vlan-id=108
add interface=BR1 name=SHARED_VLAN vlan-id=112
add interface=BR1 name=HA_VLAN vlan-id=116
add interface=BR1 name=IOT_VLAN vlan-id=120
add interface=BR1 name=ENTERTAIN_VLAN vlan-id=124
add interface=BR1 name=GUESTS_VLAN vlan-id=128
/interface list (
expanded and you will see why in forward chain )
add name=WAN
add name=VLAN
add name=BASE
add name=ACCESS-TO
add name=RECEIVER
/interface bridge port {
assuming ether2,sfp-sfpplus are going to managed devices. Added missing but not not 100% necessary components }
add bridge=BR1 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=80
add bridge=BR1 interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=112
add bridge=BR1 interface=ether5 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=108
add bridge=BR1 interface=ether6 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=104
add bridge=BR1 interface=ether7 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=100
add bridge=BR1 interface=ether8 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=80
add bridge=BR1 interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/interface bridge vlan {
optional to put in untagged but I prefer it to be visible on exports and easy to cross-check with port settings }
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether3,ether8 vlan-ids=80
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether7 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether6 vlan-ids=104
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether5 vlan-ids=108
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether4 vlan-ids=112
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1
vlan-ids=116,120,124,128 {
with no differences aka untagged ports you can combine on one line }
/interface list member {
removed ether8 it was redundant --> you already have management vlan on both VLAN and BASE list, and that is what is carried over ether8 }
add interface=ether1 list=WAN
add interface=HOME_VLAN list=VLAN
add interface=VICO_VLAN list=VLAN
add interface=WORK_VLAN list=VLAN
add interface=SHARED_VLAN list=VLAN
add interface=HA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=ENTERTAIN_VLAN list=VLAN
add interface=GUESTS_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=BASE
add interface=HOME_VLAN list=ACCESS-TO
add interface=VICO_VLAN list=ACCESS-TO
add interface=SHARED_VLAN list=RECEIVER
add interface=ENTERTAIN_VLAN list=RECEIVER
add interface=HA_VLAN list=RECEIVER
/ip dns static {
REMOVED this default setting}
/ip firewall address-list (
removed all subnets that are on the router, address lists are not appropriate, INTERFACE LISTS ARE !!)
REMOVED all BOGON lists as it should only be used
if You know What you are doing, clearly not the case. If you do, later, dont need firewall rules, just black hole them in routing.
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet )
/ip firewall filter {
RULES NOT IN ORDER EGADS.........}
(
default rules)
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(
admin rules)
add action=accept chain=input comment=\ {
The ether 8 rule was garbage and removed }
"Allow Management VLAN f\C3\BCll acceess" in-interface=MANAGEMENT_VLAN
add action=accept chain=input comment="allow DNS from VLAN" \
in-interface-list=VLAN port=53 protocol=tcp
add action=accept chain=input comment="allow DNS from VLAN" \
in-interface-list=VLAN port=53 protocol=udp
add action=drop chain=input comment=Drop
(
default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
(
admin rules)
add action=accept chain=forward comment="Internet" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="Allowed" in-interface-list=ACCESS-TO out-interface-list=RECEIVER
add action=accept chain=forward comment="ENT to SH" in-interface=ENTERTAIN_VLAN out-interface=SHARED_VLAN
add action=drop chain=forward comment=Drop
.