I've tried to migrate from 6 stable to latest 7.x firmware several times, but always rolled back as I can't solve the issue with my VLANs.
Immediately after update, everything stops to work except management VLAN
- no DHCP from Mikrotik
- allowed inter-vlan traffic ceases to flow.
- gateway not available.
I've reviewed my setup several times, compared it to Mikrotik VLAN Wiki, but failed to see any flaws.
Physically, router has 2 trunk ports on eth1 and eth2, uplinks are eth4 and eth5 (disabled).
eth1 trunk receives bunch of VLANs from CRS switch, eth2 goes to server (VLAN4 and VLAN5).
/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=Server
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether2 name=vlan-4 vlan-id=4
add interface=ether2 name=vlan-5 vlan-id=5
add interface=ether1 name=vlan-14 vlan-id=14
add interface=ether1 name=vlan-15 vlan-id=15
add interface=ether1 name=vlan-16 vlan-id=16
add interface=ether1 name=vlan-17 vlan-id=17
add interface=ether1 name=vlan-20 vlan-id=20
add interface=bridge name=vlan-80 vlan-id=80
/interface list
add name=CONTROL
add name=INSIDE
add name=WAN_BACKUP
add include=WAN_BACKUP name=WAN
/ip pool
add comment=Management name=vlan-80-pool ranges=10.0.80.100-10.0.80.200
add comment=Camera name=vlan-20-pool ranges=10.0.20.100-10.0.20.200
add comment=WiFi name=vlan-15-pool ranges=10.0.15.100-10.0.15.200
add comment="Guest WiFi" name=vlan-16-pool ranges=10.0.16.100-10.0.16.200
add comment=IOT name=vlan-14-pool ranges=10.0.14.100-10.0.14.200
add comment="Servers pool" name=vlan-4-pool ranges=10.0.4.100-10.0.4.200
add comment="Isolated Servers Pool" name=vlan-5-pool ranges=10.0.5.100-10.0.5.200
add comment="IOT VPN" name=vlan-17-pool ranges=10.0.17.100-10.0.17.200
/ip dhcp-server
add address-pool=vlan-80-pool disabled=no interface=vlan-80 lease-time=1h name=vlan-80-dhcp
add address-pool=vlan-20-pool disabled=no interface=vlan-20 lease-time=1h name=vlan-20-dhcp
add address-pool=vlan-15-pool disabled=no interface=vlan-15 lease-time=1h name=vlan-15-dhcp
add address-pool=vlan-16-pool disabled=no interface=vlan-16 lease-time=1h name=vlan-16-dhcp
add address-pool=vlan-14-pool disabled=no interface=vlan-14 lease-time=1h name=vlan-14-dhcp
add address-pool=vlan-4-pool disabled=no interface=vlan-4 lease-time=1h name=vlan-4-dhcp
add address-pool=vlan-5-pool disabled=no interface=vlan-5 lease-time=1h name=vlan-5-dhcp
add address-pool=vlan-17-pool disabled=no interface=vlan-17 lease-time=1h name=vlan-17-dhcp
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge interface=ether3 pvid=80
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3,ether4 vlan-ids=80
add bridge=bridge comment=camera tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1 vlan-ids=16
add bridge=bridge tagged=ether1 vlan-ids=14
add bridge=bridge tagged=ether2 vlan-ids=4
add bridge=bridge tagged=ether2 vlan-ids=5
add bridge=bridge comment="IOT VPN" tagged=ether1 vlan-ids=17
/interface list member
add interface=ether4 list=WAN
add interface=ether1 list=INSIDE
add interface=bridge list=CONTROL
add interface=ether5 list=WAN_BACKUP
/ip address
add address=10.0.80.222/24 comment="Management network" interface=vlan-80 network=10.0.80.0
add address=10.0.20.222/24 comment="Camera network" interface=vlan-20 network=10.0.20.0
add address=10.0.15.222/24 comment="WiFi network" interface=vlan-15 network=10.0.15.0
add address=10.0.16.222/24 comment="Guest WiFi network" interface=vlan-16 network=10.0.16.0
add address=10.0.4.222/24 comment="Servers network" interface=vlan-4 network=10.0.4.0
add address=10.0.14.222/24 comment="TV WiFi" interface=vlan-14 network=10.0.14.0
add address=10.0.5.222/24 comment="Isolated Servers" interface=vlan-5 network=10.0.5.0
add address=10.0.17.222/24 comment="IOT VPN" interface=vlan-17 network=10.0.17.0
/ip dhcp-client
add default-route-distance=10 disabled=no interface=ether5 use-peer-dns=no use-peer-ntp=no
add default-route-distance=20 disabled=no interface=ether4
/ip dhcp-server network
add address=10.0.4.0/24 comment="Servers DHCP" dns-server=10.10.1.1 domain=-snip- gateway=10.0.4.222 ntp-server=10.0.4.222
add address=10.0.5.0/24 comment="Isolated Servers DHCP" dns-server=208.67.222.222,208.67.220.220 domain=-snip- gateway=10.0.5.222
add address=10.0.14.0/24 comment="TV WiFi" dns-server=10.0.14.222 domain=-snip- gateway=10.0.14.222 ntp-server=10.0.14.222
add address=10.0.15.0/24 comment=WiFi dns-server=10.10.1.1 domain=-snip- gateway=10.0.15.222 ntp-server=10.0.15.222
add address=10.0.16.0/24 comment="Guest WiFi" dns-server=10.0.16.222 domain=-snip- gateway=10.0.16.222 ntp-server=10.0.16.222
add address=10.0.17.0/24 comment="IOT VPN" dns-server=208.67.222.222,208.67.220.220 gateway=10.0.17.222
add address=10.0.20.0/24 comment=Camera dns-server=10.0.20.222 domain=-snip- gateway=10.0.20.222 ntp-server=10.0.20.222
add address=10.0.80.0/24 caps-manager=10.0.80.222 comment=Management dns-server=10.10.1.1 domain=-snip- gateway=10.0.80.222 ntp-server=10.0.80.222
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input icmp-options=8:0-255 protocol=icmp src-address-list=local
add action=accept chain=input dst-port=53,123 protocol=udp src-address-list=local
add action=accept chain=input dst-address=10.0.80.222 dst-port=80,22 protocol=tcp src-address-list=management
add action=accept chain=input dst-address=10.0.80.222 dst-port=5246,5247 protocol=udp src-address-list=management
add action=accept chain=input dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=admin
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=Ipsec ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward in-interface=vlan-5 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-14 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-17 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-20
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-5
add action=drop chain=forward comment="Default drop" in-interface=vlan-20 out-interface-list=WAN
add action=drop chain=forward in-interface=vlan-80 out-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both
I've tried 7.1 on my previous attempt to migrate to 7.x - it was the same issue.