(1) Missing tagging the bridge!!!!
interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30
Yes, my knowledge is limited here. Tagging the bridge and giving it an IP allows the unit to be managed, is that correct? According to the help guides, something like this would work for managing via VLAN 30:
/interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30
/interface vlan
add interface=bridge1 name=MGMT vlan-id=30
/ip address
add address=192.168.3.1/24 interface=MGMT
(2) Ether23 has no business on this rule...... They would have to have been PVID on the bridge ports for this to be true but you showed them as trunk ports???
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
You're right, I forgot to add PVID for these ports in the bridge port config. They are "hybrid" trunk ports with multiple tagged VLANs and a "native" (i.e. untagged) VLAN. I am not sure if it's possible for the WiFI APs I have to be configured without a native VLAN (UniFi AP AC Lite).
(3) Dont know what this crap is about but I would not do it, as all you want can be accomplished by saner methods.
Such as??? The method you describe as "crap" is from the Mikrotik help guide. You're telling me it's easy and not messy but you're not telling me
how to do it.
(4) Yes, why would you put untrusted users/ devices and trusted users/devices on the same VLAN or subnet, its plain mind boggling.
Create a separate vlan for untrusted users/devices. For WIFI appliances simply create a separate SSID and security profile to separate trusted users/devices and untrusted users/devices and associate the untrusted vlan(s) with those SSIDs etc.
Where have I said that I've put untrusted and trusted devices on the same VLAN or subnet?? What you describe is exactly what I'm doing! VLAN 20 and 30 are for untrusted devices, VLAN 10 is for trusted. Separate SSIDs exist for each VLAN. I really don't think you're understanding what I'm saying despite me trying to be very explicit.
For example in my home I have a guest VLAN setup. I have several AP in the house, on two of them I have one vlan for guest users, in teh basement apartment I provided a different guest vlan for the tenants, separate from guest vlan.
Its not messy,
Its create vlan interface is bridge
Its create ip address, ip pool, dhcp server, dhcp-server network
Add vlan to interface list members (so they get internet and DNS access).
Done
This sounds like you're routing using the Mikrotik device though, which I don't want to do because the performance will be poor. I want to use the switch chip and my existing router will do L3 stuff. How do you stop untrusted "guest" devices on your two house APs talking to each other? If they're on the SAME AP then the AP deals with that but what if they're on DIFFERENT APs?
Change bridge port settings as required
Change bridge vlan settins as required..
make Wifi changes on wifi devices as required.
In terms of firewall rules, if you have the drop rule at the end of the forward chain, all traffic between vlans is automatically dropped.
Again, this assumes the router and switch are a single device. My router rules are all correct for separating VLANs etc. but that doesn't help if the switch is going to allow devices to talk to each other regardless. Yes, stopping devices on DIFFERENT VLANs talking is easy but I am trying to stop devices ON THE SAME VLAN talking to each other via the switch.