After really digging into this for two days I believe I've found the source of the issue but I do not have the solution. After following https://wiki.mikrotik.com/wiki/Manual:C ... AN_Routing I've found that packets which cross the routing CPU (packets going from one VLAN to another) or traveling through the WAN are delivered to the destination interface without the tag being stripped.
Using the example from the link above that means if the computer A connected to ether6 on VLAN200 tries to ping the computer B connected to ether7 on VLAN300 computer B receives packets with the VLAN ID 300 still in tact. If we add another port and computer to VLAN200 say on ether10 called computer C, it can ping computer A and the tags are removed on Egress. If any of these computers ping a public website like 18.104.22.168 the return packets are received by the computer with the tag in tact and can be seen using Wireshark.
Oddly this is not an issue when I'm booted into Windows, as I understand it Win ignores VLAN tags but when I'm in Linux (as I am most of the time) or for any of the other hardware (security cameras, Linux servers, SmartTV) the system is brought to it's knees. I've seen other similar posts, some people say rebooting helps (hasn't helped me) I've tried:
/interface ethernet switch port set egress-vlan-mode=untagged numbers=x (this seams to have no effect at all)
/interface ethernet switch vlan add vlan-id=0 ports=etherX (I end up with two tags on received packets, one for the VLAN ID and one with ID 0)
/interface ethernet switch egress-vlan-translation> add new-customer-vid=0 customer-vlan-format=any ports=etherX (again I end up with two tags on received packets, one for the VLAN ID and one with ID 0)
I really don't want to abandon VLANs on this switch, I love the hardware but this is a game killer. Advice or suggestions are very welcome.