Thanks! I know i don't really need vlans for this, and i have a working config without them, but the principals of vlans seem a little easier to understand and they allow more options if i want to change something later. I plan to get in to some smart home stuff in the near future, so I'm trying to set it up for whatever that may need.
I think you are the first person I ever remember saying that vlans were easier to understand. But that's not a bad thing.
Do look at the MikroTik documentation referenced in paragraph C of the link posted by anav. That is the best reference documention that currently exists as far as I know.
Disclaimer: I am an novice with ROS. I have never used v6 (other that to upgrade to 7.2) and my only MikroTik ROS experience is with a hEX S in a LAB situation with some Ubiquiti ER-X and various dumb (Trendnet, TP-Link, even a bottom of the barrel Tenda) and vlan-aware switches (MikroTik CSS106-5G-1S, NetGear 908E, TP-Link TL-SG108E) and my primary playing was with vlans.
Here are the things I noticed in your config:
ether3 is using vlan 1 by default (since you did not specify the pvid)
/interface bridge port
add bridge="bridge 1" comment=defconf interface=ether2 pvid=77
add bridge="bridge 1" comment=defconf interface=ether3
add bridge="bridge 1" comment=defconf interface=ether4 pvid=77
add bridge="bridge 1" comment=defconf interface=ether5 pvid=66
Your /interface bridge vlan section doesn't have any ports included.
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" vlan-ids=77
Assuming your original specification where ports 2,3,4 were for vlan 77 (and I assumed as access ports), and port 5 was an access port for vlan 66, I would have expected this:
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" untagged=ethe5 vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" untagged=ether2,ether3,ether4 vlan-ids=77
Although if the pvid is specified on the /interface bridge port, I think it implicitly added the untagged for the vlan on those ports. You can see if you use /export verbose. I prefer to be explicit in the config, as it makes it plain when reading the config. After you get things working, you may also want to consider adding frame-types to the /interface bridge port section. If these are really access ports, e.g.
/interface bridge port add bridge="bridge 1" comment=defconf interface=ether5 frame-types=admit-only-untagged-and-priority-tagged pvid=66
When I was playing, I used the default firewall and just associated my new vlans with the LAN list. I suggest you do the same; at least until you get things working. Note the following in the firewall filter:
add
action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=
!LAN
That's dropping traffic that reaches that part of the chain that is from any interface that isn't associated with LAN
So I would get rid of the bold line
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" include=all name=VLAN
And change
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=VLAN
add comment="spynet vlan" interface="spynet vlan" list=VLAN
to
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=
LAN
add comment="spynet vlan" interface="spynet vlan" list=
LAN