Your config is one big bloated mess though LOL. (your config has diabetes)
One bridge
identify all vlans with interface to the single bridge
Vlans require ip address, dhcp server, dhcp server network and IP pool
Assign bridge ports'
Assign bridge vlan settings
Reduce simplify firewall rules simply atrocious.
Set bridge vlan filtering to enabled.
also simplify all nat rules (including hairpin nat rule).
PPPOE doesnt need to be on any vlan unless the ISP demands it, otherwise its just plain vanilla setup for either cable, fiber or pppoe.
What is the purpose of the mangling.......
OK, accepted its large, just not sure where or how I can trim.
Both the ISP need to have vlan = 10 for their pppoe - hence the setup as it is.
The mangle is for tagging connections/packets for bandwidth limiting the wifi and IOT client devices, so the server doesn't get left with insufficient bandwidth to serve our internet clients.
I have four hAPac devices throughout the site and need to keep LAN / WIFI / IOT traffic for the connected devices separate - hence three vlans and bridges for that. Also have an ultra secure admin-bridge that I access via an OpenVPN client so I can securely access the IMM interface on the server. I also use a similar kind of setup on a site I manage half way around the planet with 10 MT devices across three buildings - it works, never touch it, totally reliable and secure since 2016 - even did a remote upgrade of the main router from a CRS226-24G-2S+-IN to a CCR1036-12G-4S - just had someone on site to swap cables one at a time as instructed.
As you can no doubt tell, this setup is the result of many different google / wiki / forum examples, It would be great if the wiki actually had some "best practice" examples that covered more than a single simple topic, because as you stitch them all together you get something like what I currently have.
At the moment I am in the "let's get it going" phase. refinement is on my to-do list.
Thanks for looking and responding.
Since I posted this I have tried adding dual stack for IPv6, (first time playing with IPv6) so now it REALLY IS big.
IPv6 seems flaky and unreliable, whereas the IPv4 "just works" - that's probably down to my inexperience with IPv6. I can get it up and working, for a while, and then it fails, some random time after a reboot. Reboot and all is well again...rinse and repeat - needless to say - this is unacceptable.
I have watched numerous MUM youtube videos in an effort to understand better, but find most of them difficult to follow, and for some cannot read the slides thus get lost along the way.
Not sure where to from here, happy to research, read, learn and try things, but I am finding it hard to find reliable input and examples.
e.g. for multi AP wifi at a single client site - 1 example says use same SSID for all AP, another says also use single SSID for both 2GHz and 5GHz but different frequencies for each AP.
another example says use the same frequencies on every AP and same SSID, yet another says handover from one AP to another drops packets if you do this, another says use CAPS-MAN and so I am left wondering what to do, with limited time and ability to test different setups.
Sorry for the rant, just finding it really difficult to get this new client's setup working like it should - close, but not reliable like it should be, yet.
Thanks for your time.