Hi All,

Have a strange issue here. I have created 2-3 vlans for separating out systems and traffic on my home network. Let me describe the strange issue I am encountering. I have several applications that need to be connected or I would like to browse to the internal website. When I do this from the same subnet there is no issue. However, when I connect from a different subnet 10.0.1.x to 10.0.2.x I am not able to connect to the device. What I am struggling with is that the firewall is setup to allow this traffic, but I am still seeing these systems having issues working together. If they are all on the Same subnet, they work without issue. Can someone point me to why these would not be working? No local firewalls or restrictions on the devices themselves to prevent access other than the Mikrotik router and firewall. Any help here would be greatly appreciated as I don't know where to start looking into what is blocking this.

Router Config
/interface bridge
add name=bridge1
add name=guest_br
add name=internal_br
add name=iot_br
add name=lobridge
add name=vm_br
/interface vlan
add comment=Management interface=sfp-sfpplus1 name=\
vlan10_sfpp1 vlan-id=10
add comment=Internal interface=sfp-sfpplus1 name=\
vlan100_sfpp1 vlan-id=100
add comment=IoT interface=sfp-sfpplus1 name=vlan200_sfpp1 \
vlan-id=200
add comment=Guest interface=sfp-sfpplus1 name=\
vlan300_sfpp1 vlan-id=300
add comment=VM interface=sfp-sfpplus1 name=vlan400_sfpp1 \
vlan-id=400
/caps-man datapath
add bridge=internal_br client-to-client-forwarding=yes \
name=internal
add bridge=iot_br client-to-client-forwarding=yes name=\
IoT
add bridge=guest_br client-to-client-forwarding=yes name=\
guest
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=internal_br interface=vlan100_sfpp1 trusted=\
yes
add bridge=iot_br interface=vlan200_sfpp1
add bridge=guest_br interface=vlan300_sfpp1
add bridge=vm_br interface=vlan400_sfpp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=vlan10_sfpp1 list=LAN
add interface=internal_br list=LAN
add interface=iot_br list=LAN
add interface=guest_br list=LAN
add interface=vm_br list=LAN
/ip address
add address=192.168.88.1/24 disabled=yes interface=ether8 \
network=192.168.88.0
add address=172.100.0.1/24 interface=vlan10_sfpp1 network=\
172.100.0.0
add address=172.100.1.1/24 interface=internal_br network=\
172.100.1.0
add address=172.100.2.1/24 interface=iot_br network=\
172.100.2.0
add address=172.100.3.1/24 interface=guest_br network=\
172.100.3.0
add address=172.100.4.1/24 interface=vm_br network=\
172.100.4.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward comment=\
"Allow Internal to Management" in-interface=\
vlan10_sfpp1 out-interface=internal_br
add action=accept chain=forward comment=\
"Allow Internal to VM" in-interface=vm_br \
out-interface=internal_br

Your explanation of the requirements (use cases) is rather weak but will take a look.
What device, which firmware.
Is this acting as an Access Point or a Router or both?

Okay problem number one you are using multiple bridges.
Then you assign vlans to ssfp10 and not to the bridge
Finally the final stab is you use capsman.
Having no clue on how to configure an MT router, using advanced functionality such as Capsman will only delay progress.

Finally, you have no firewall rules, I hope this router isnt connected directly to a MODEM??

Read through this guide as the standard for vlan configurations......
viewtopic.php?t=143620

Suggest,
a. start fresh
b. use the guide
c. use one bridge
d. assign all vlans to the bridge
e. ensure you have the default firewall rules in place (if applicable)
etc.......
Dont use capsman until you have a working config
with 'normal' wifi settings.