So does that mean if I use only the bridge only for VLAN setup, in the current 6.x I get the same advantages from the switch chip?
With setup you posted in pist #4 above, intra-vlan inter-ethernet traffic is handled by switch chip and thus wirespeed without any impact on CPU load. Only use of multiple bridges to handle wireless traffic is convoluted and probably slightly heavier on CPU than would the simplified setup I proposed even if it was done correctly. And I hesitate to dig into the mess of configuration to see where it might be broken.
OK, well I:
-Moved all the wlan ports to the main bridge
-Removed the 3 WLAN bridges
-All of the virtual wlan interfaces were already use-tag, with the associated vlan.
-Moved all the ip addresses for the virtual wlan interfaces to their associated vlan.
-Added the WLAN vlans to the bridge
-I can't move the DHCP Server interface(s) to the wireless vlans (error)
Before I did that, DHCP didn't work, but static addresses on the wireless clients worked. Now wlan DHCP and static addresses appear to work. Will test more!
# may/04/2022 02:59:01 by RouterOS 6.49.6
# software id = AKR0-XZSF
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no frequency=auto mode=ap-bridge ssid=\
wlan
/interface ethernet
set [ find default-name=ether23 ] comment="WAN uplink to AT&T" name=wan1
/interface l2tp-server
add name=L2TP-Interface user=ERUUser
/interface vlan
add interface=bridgeVLAN name=vlanDMZ vlan-id=6
add interface=bridgeVLAN name=vlanDMZWlan vlan-id=7
add interface=bridgeVLAN name=vlanGUEST vlan-id=4
add interface=bridgeVLAN name=vlanGUESTWlan vlan-id=5
add interface=bridgeVLAN name=vlanLAN vlan-id=2
add interface=bridgeVLAN name=vlanLANWlan vlan-id=3
add interface=bridgeVLAN name=vlanTH vlan-id=33
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=rgsWireless
add authentication-types=wpa2-psk comment="Wireless LAN" eap-methods="" mode=\
dynamic-keys name=wlanLAN supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless GUEST" eap-methods="" \
mode=dynamic-keys name=wlanGUEST supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless DMZ" eap-methods="" mode=\
dynamic-keys name=wlanDMZ supplicant-identity=""
/interface wireless
add comment="wlanDMZ Virtual Interface" disabled=no keepalive-frames=disabled \
mac-address=DE:2C:6E:3D:F5:06 master-interface=wlan1 multicast-buffering=\
disabled name=wlanDMZ security-profile=wlanDMZ ssid=sD vlan-id=7 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanGUEST Virtual Interface" disabled=no keepalive-frames=\
disabled mac-address=DE:2C:6E:3D:F5:05 master-interface=wlan1 \
multicast-buffering=disabled name=wlanGUEST security-profile=wlanGUEST \
ssid=sG vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add comment="wlanLAN Virtual Interface" disabled=no keepalive-frames=disabled \
mac-address=BA:69:F4:F5:53:C2 master-interface=wlan1 multicast-buffering=\
disabled name=wlanLAN security-profile=wlanLAN ssid=sL vlan-id=3 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlanDMZ comment="wlanDMZ Virtual Interface"
set wlanGUEST comment="wlanGUEST Virtual Interface"
set wlanLAN comment="wlanLAN Virtual Interface"
/interface wireless nstreme
set *25 comment="wlanDMZ Virtual Interface"
set *24 comment="wlanGUEST Virtual Interface"
set *22 comment="wlanLAN Virtual Interface"
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.4.100-192.168.4.199
add name=poolL2TP ranges=10.2.2.50-10.2.2.99
add name=poolDMZ ranges=192.168.6.100-192.168.6.199
add name=poolLANWlan ranges=192.168.3.100-192.168.3.199
add name=poolGUESTWLan ranges=192.168.5.100-192.168.5.199
add name=poolDMZWlan ranges=192.168.7.100-192.168.7.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
add address-pool=poolDMZ disabled=no interface=vlanDMZ name=dhcpDMZ
add address-pool=poolLANWlan disabled=no interface=vlanLANWlan name=\
dhcpLANWlan
add address-pool=poolGUESTWLan disabled=no interface=vlanGUESTWlan name=\
dhcpGUESTWlan
add address-pool=poolDMZWlan disabled=no interface=vlanDMZWlan name=\
dhcpDMZWlan
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.2.2.1 \
name=L2TP remote-address=poolL2TP use-encryption=yes
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=wlanLAN
add bridge=bridgeVLAN interface=wlanGUEST
add bridge=bridgeVLAN interface=wlanDMZ
add bridge=bridgeVLAN interface=vlanDMZWlan
add bridge=bridgeVLAN interface=vlanGUESTWlan
add bridge=bridgeVLAN interface=vlanLANWlan
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict
/interface ethernet switch egress-vlan-tag
add comment=LAN tagged-ports=ether24,switch1-cpu vlan-id=2
add comment=GUEST tagged-ports=ether24,switch1-cpu vlan-id=4
add comment=DMZ tagged-ports=ether24,switch1-cpu vlan-id=6
add comment=TH tagged-ports=switch1-cpu vlan-id=33
/interface ethernet switch ingress-vlan-translation
add comment=:LAN customer-vid=0 new-customer-vid=2 ports="ether1,ether2,ether3\
,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
,ether14,ether15,ether16" service-dei=0
add comment=GUEST customer-vid=0 new-customer-vid=4 ports=ether17,ether18
add comment=DMZ customer-vid=0 new-customer-vid=6 ports=ether21,ether22
add comment=TH customer-vid=0 new-customer-vid=33 ports=ether19
/interface ethernet switch vlan
add comment=LAN ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sw\
itch1-cpu" vlan-id=2
add comment=GUEST ports=ether17,ether18,ether24,switch1-cpu vlan-id=4
add comment=DMZ ports=ether21,ether22,ether24,switch1-cpu vlan-id=6
add comment=TH ports=ether19 vlan-id=33
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes \
use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.4.1/24 interface=vlanGUEST network=192.168.4.0
add address=192.168.15.3/24 interface=wan1 network=192.168.15.0
add address=192.168.6.1/24 interface=vlanDMZ network=192.168.6.0
add address=10.33.33.34/16 interface=vlanTH network=10.33.0.0
add address=192.168.3.1/24 network=192.168.3.0 interface=vlanLANWlan
add address=192.168.5.1/24 network=192.168.5.0 interface=vlanGUESTWlan
add address=192.168.7.1/24 network=192.168.7.0 interface=vlanDMZWlan
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.36,8.8.8.8 \
gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=8.8.8.8 \
gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8 \
gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 dns-server=8.8.8.8 \
gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.6.1 netmask=24
add address=192.168.7.0/24 dns-server=8.8.8.8 domain= \
gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
add address=192.168.2.0-192.168.2.254 list=allowed_to_router
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
/ip firewall filter
add action=accept chain=forward comment="ALL ICMP Input" disabled=yes \
protocol=icmp
add action=accept chain=input comment="ALL ICMP INPUT" disabled=yes protocol=\
icmp
add action=accept chain=output comment="ALL ICMP OUTPUT" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Accept established related input" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop input: invalid" connection-state=\
invalid
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="L2TP Ports" dst-port=500,1701,4500 \
in-interface=wan1 protocol=udp
add action=accept chain=input comment="L2TP ipsec-esp" in-interface=wan1 \
protocol=ipsec-esp
add action=accept chain=input comment="L2TP ipsec-ah" in-interface=wan1 \
protocol=ipsec-esp
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=jump chain=input comment="Jump for SSH input" jump-target=SSH \
protocol=xns-idp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Input Management" src-address=\
192.168.2.0/24
add action=drop chain=input comment="block everything else WAN1" \
in-interface=wan1
add action=drop chain=input comment="drop all input" log=yes log-prefix=\
"Drop Input:"
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=accept chain=forward comment="Accept established related forward" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop forward: invalid" \
connection-state=invalid
add action=drop chain=forward comment="VLAN Internet Access Only - GUEST" \
connection-state=new in-interface=vlanGUEST out-interface=!wan1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons log=yes log-prefix="DROP BOGON:"
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for SSH forward" jump-target=SSH
add action=drop chain=forward comment="drop all not NAT WAN1" \
connection-nat-state=!dstnat connection-state=new in-interface=wan1
add action=accept chain=ICMP comment=\
"Echo request - Avoiding Ping Flood, adjust the limit as needed" \
icmp-options=8:0 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=SSH comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=SSH connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=SSH comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN 192.168.2.0/23" \
ipsec-policy=out,none out-interface=wan1 src-address=192.168.2.0/23
add action=masquerade chain=srcnat comment="NAT GUEST 192.168.4.0/23" \
out-interface=wan1 src-address=192.168.4.0/23
add action=masquerade chain=srcnat comment="NAT DMZ 192.168.6.0/23" \
out-interface=wan1 src-address=192.168.6.0/23
add action=masquerade chain=srcnat comment="NAT TH 10.33.0.0/16" \
out-interface=wan1 src-address=10.33.0.0/24
/ip route
add distance=1 gateway=192.168.15.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=L2TPUser profile=L2TP service=l2tp
/system identity
set name=CRS125-24G-1S-2
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=sniff