Hello all,

Context:
Like many in this forum I'm new to MikroTik and I have an issue I've been pulling my hair out over for the past 3 weeks, and I've spend an immense amount of time scanning forums and YouTube videos trying to fix it, hence the desperation of a forum post. I am 95% sure that it is a misconfiguration that can be resolved in 30 seconds by someone more experienced in bridges. I am trying to use a CRS310-8G+2S+IN on RouterOS 7.13.1 as a layer 3 switch to route traffic at both L2 and L3. The network is fairly complex, as some VLANs are hosted on the router and some are hosted on the switch meaning traffic must be routed over a main routed trunk link connecting a router and switch. Note that the CRS310-8G+2S+ is replacing a Ubiquiti EdgeSwitch 8 150W and with that device the configuration works as expected, the goal is to match the configs as closely as possible such that it works the same. Please use the attached diagram to make sense of the below (note that I tried jpg/png/pdf and all show "invalid" - to this end, I've included the diagram in a gDrive Link:
https://drive.google.com/drive/folders/1PJSqh0BDMx9WHt3yZ6ILqtBRq2_7sgqU?usp=sharing
(this was due to web session timeout, now fixed, no need to go to gDrive link.)

Issue:
Devices on the same VLAN cannot arp or ping each other across an L3 6.0/30 network link:
> 7.101 (DC1 VM on AIO) cannot ping or arp 7.1 (hosted on SW1)
> 7.9 (file server connected to SW1) cannot arp or ping 7.101 (DC1) or vice versa
>> even though these devices are on the same VLAN 207 hosted on the SW1 (MikroTik), just across/through that L3 6.0/30 network
> 6.1 can ping 6.2 and vice versa, both can reach internet - 8.8.8.8
> File server .7.9 on SW1 can also reach internet
> DC1 cannot reach internet as it cannot reach .7.1, but it can ping another VM on the same side of the L3 link, .7.50 - same for .7.50 - Can reach DC1 but not .7.1 & internet
> It is not the AIO config as this works fine with the L3 switch that is being replaced.

Scenario:
MikroTik ether1 10.254.6.2/30 is connected to a pfSense router VM hosting address 10.254.6.1/30. Each host their own vlans, and devices on those VLANS can talk to each other, but not across that L3 6.0/30 network link like they are supposed to/can on the device being replaced.

Here is all MikroTik side config relating to these interfaces and networks:
/interface bridge
add mtu=9198 name=bridge0 priority=0x2000 protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9216 mtu=9198
set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9198
/interface vlan
add interface=bridge0 mtu=9198 name=v201_Link_1 vlan-id=201
add interface=bridge0 mtu=9198 name=v207_Servers_S vlan-id=207
/interface ethernet switch
set 0 l3-hw-offloading=yes name=switch0
/interface bridge port
add bridge=bridge0 interface=ether1 #from export, this line doesn't explicitly state PVID 1 but I think it is implied/correct, if not, this is part of the problem
add bridge=bridge0 interface=sfp-sfpplus2 pvid=207
/interface bridge vlan
add bridge=bridge0 tagged=bridge0,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1,sfp-sfpplus2,ether1 vlan-ids=201
add bridge=bridge0 comment=Servers_S tagged=bridge0,ether2,ether3,ether4,ether5,ether6 untagged=ether7,ether8,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=207
/ip address
add address=10.254.6.2/30 interface=v201_Link_1 network=10.254.6.0
add address=10.254.7.1/25 interface=v207_Servers_S network=10.254.7.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.254.6.1 routing-table=main suppress-hw-offload=no

Here is all the relevant config from the device that is being replaced for reference (a Ubiquiti EdgeSwitch 8 150W, whose configuration works correctly) - this is the target config I'm trying to reach with the MikroTik):
vlan database
vlan name 201 'Link_1'
vlan routing 201 1
vlan name 207 'Servers_S'
vlan routing 207 7
exit
ip routing
ip route 0.0.0.0 0.0.0.0 10.254.6.1
interface vlan 201
description 'UpLink_1'
routing
ip mtu 9198
ip address 10.254.6.2 255.255.255.252
no shut
exit
interface vlan 207
description 'Servers_S'
routing
ip mtu 9198
ip address 10.254.7.1 255.255.255.128
no shut
exit
interface 0/1-0/2
description 'SWLocal_UpLink'
mtu 9216
switchport mode trunk
switchport trunk allowed vlan all
no shut
exit
interface 0/5
description 'Servers_S'
mtu 9216
switchport mode trunk
switchport trunk allowed vlan all
switchport trunk native vlan 207
no shut
exit

Maybe this has something to do with the way VLAN filtering works, or my lack of understanding of the 5 structures at play here:
A - The physical interface ether1
B - The VLANs 201 and 207 with IP(s) sitting on top of bridge0
C - The bridge0
D - The bridge port(s)
E - The bridge VLAN(s)
I apologize for my incompetence and thank you in advance to anyone who helps me figure this out.

didn't set ether1/uplink to tagged on all vlans