I am a Mikrotik/RouterOS noob and in general am not at all an expert in networking. The Vlan setup has been killing me. I have read through PCUnite's examples and have been trying to implement the RouterSwitchAP.rsc example. My setup is as follows:

Hap Ac2 with 5 Ethernet ports:
1 - WAN
2 - Attached to 2 Unmanaged 8 port Switches daisy chained. Multiple ethernet ports going to various rooms are connected to these switches, some of the ports are occupied with a printer and other devices - including 2 raspberry Pis, one running HomeAssistant at 192.168.0.200 and one pi at 192.168.0.151 running a pihole docker container generating a separate pihole DNS ip of 192.168.0.210. The pi at 192.168.0.151 also runs a Wireguard server.
3 - TV
4 - Soon to be installed Ethernet camera system
5 - currently unused

The router has 2 wifi ports (2 and 5 Mhz bands)
I'm trying to setup a separate Vlan use vlan tag filtering as follows (and have followed as closely as possible and/or adapted the Router-Switch-API configuration to do so):
- guest wifi (PVID 20)
- cameras (PVID 3),
- wifi enabled light switches (PVID 30)
- wifi untrusted devices (PVID 50, no internet and otherwise more isolated),
- vlan for ethernet 4 (PVID 4)
- vlan for ethernet 5 (PVID 5),
- a management VLAN (the BASE in pcunite's example) (PVID 99) - includes all hardwired ethernet devices plugged into the unmanaged switches that are plugged into ethernet 2 (devices include the pihole), plus the 2 and 5 Ghz virtual network containing same SSID (AcmeWireless)

Problems I am having:
1) The pihole DNS which has a static ip of 192.168.0.210 is not pingable and inaccessible from any of the VLANS including 99. I have only gotten internet access by adding 1.1.1.1 as an alternative DNS. The pihole seems not be be binding to its ip and/or some firewall rule is blocking it (I suspect a DHCP misconfiguration). The homeassistant server is also no accessible from a pc on the 99 VLAN. Pihole and homeassistant are both accessible fine without any implementation of vlans.
2) The 2ghz and 5 ghz wifi bands will not work (I do not get an assigned ip) unless I set the option in the VLAN tab on the port to "Admit All" but I believe the recommended option was admit only untagged and priority tagged.


Goals are to allow 192.168.0.210 (Pihole DNS to be accessible to all VLANS), general isolation of the VLANS, and any PC on VLAN to be able to access any device on the VLAs including the pis). Attached is the relevant portions of my /export hide-senstive configuration (edited somewhat to redact some additional info).


Would greatly appreciate any help you can give and tips to improve the setup. Thank you.

1) Your firewall doesn't block anything at all in firewall chain. Vlan 99 has the same 192.168.0.0/24 subnet as pihole, so any communication between pihole and other devices in vlan 99 doesn't even have to pass through router. You make pihole so accessible that you force any dns traffic to it, including access from outside, so you're creating open resolver (that's not good). But for some strange reason, you have static arp entry for 192.168.0.210, so it could be the problem if it's not correct.

2) You have all wlan interfaces listed as tagged in "/interface bridge vlan", but only two base ones are configured with tags. You need to either add correct vlan-mode=use-tag vlan-id=X for others, or keep them untagged and also list them as untagged ports.

Keep it simple.
One bridge
Identify all vlans with interface bridge
all vlans should get IP address, IP pool, DHCP server, DHCP server-network settings
configure the interface bridge ports
configure the interface vlan settings
Figure out which is the BASE VLAN (the trusted one where the admin will reside for example)
Create an interface list entry called BASE.
Add the trusted vlan to that list.
Then ensure neighbours discovery is set to that list
Then ensure mac server winmacserver is set to that list.

All managed smart devices directly attached to the router should have an IP address on the trusted VLAN (or any cascaded smart devices).
(to be carried on the trunk port from the router to that device).

Wireless settings should not include any vlan settings!!

Keep the firewall rules as defaults to ensure the vlan setup works first then..................

Wireless settings should not include any vlan settings!!

I probably wouldn't do it either, if each wlan has only one vlan, but it's perfectly valid config.

Thanks for all your help. My basic mistake was trying to do this in the WinBox menus rather than just use the terminal commands when following the example from pcunite. I had assumed some of the default settings for the command line configurations for the vlans were tagged when they should have been untagged. In addition, I had ether2 having its own separate VLan when I had already identified it to 99 so I deleted that separate vlan. Everything is working now as far as I can tell. Thanks to all.

Merry Christmas,

RJ

Don't forget to fix firewall, add back default (at the end):
Limit your pihole-enforcing dstnat using e.g. in-interface-list=!LIST_WAN. Fix the last rule in input chain using wrong list in-interface-list=!LAN. And then you can remove those weird rules in output chain.