Hi everyone,

I have encountered this issue with the assigned static IP for the device. After some time, new IP was provided to the device with an incorrect VLAN IP. the Assigned VLAN IP for the device was supposed to be VLAN 110, but it has been bounded with new IP using VLAN 100 range. I'm using a Mikrotik RB760iGS and TP-Link Manage switch.

Dont see a clear issue on the MT so suspect the issue is on the other device settings TPlink?

Step 1. Remove this rule not required in 99% of cases...... Use normal firewall rules.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Step 2. Since there are no differences between any of your trunk ports, they all get the same tagged vlans you can simplify.
/interface bridge vlan
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=120
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=110
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=100

/interface bridge vlan
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=100,110,120

Step3. Your firewall rules need a smidge of work........ mostly in content. but I commend you on not having any youtube bloatware, a refreshing change.

The only major change I would make is not letting EVERYONE have full access TO the router ( which is what the input chain is for )
Thus the idea is you only give the ADMIN full access, while everyone else gets only the router services they need such as DNS etc........
Thus need to first create a firewall address list.

/ip firewall address list { based on going into dhcp leases and making mac to IP addresses STATIC/fixed }
add ip-address=Admin-Desktop_IP list=Authorized
add ip-address=Admin-Laptop_IP list=Authorized
add ip-address=Admin-IPad/IPhone_IP list=Authorized
add ip-address=Admin-Remote_IP list=Authorized ( if setup up wireguard so can remotely config router while away )

Fixed.
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=VLAN src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123*** in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else" { Add this last otherwise you may lock yourself out}
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ADGuard Access to Everyone" dst-address=10.0.0.10 in-interface-list=VLAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Billy-PC Access to Everyone" dst-address=10.0.0.100 in-interface-list=VLAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward


Step4. I do have a question, is ADGUARD something setup on 10.0.0.10 which users should use for DNS services??
If so, there may be a better way.......................

First thing is you will need to create another firewall address list called EXCLUDED. This must contain the adguard itself as noted previously you dont want it to point at itself............ plus if you wanted any other users exempted or for example created another vlan and wanted the whole vlan exempted.................
/ip firewall address list
add ip-address=10.0.0.10 list=EXCLUDED


/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 ( one should not point the Adguard at itself so the DNS server must remain to the interface }
add address=10.0.10.0/24 dns-server=10.0.0.10 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.0.10 gateway=10.0.20.1

/Ip firewall filter ( GOOD already done)
add action=accept chain=forward comment="ADGuard Access to Everyone" dst-address=10.0.0.10 in-interface-list=VLAN

Destination NAT rules to aggressively push users to Adguard.........( and to capture users within the same subnet/vlan as adguard )
add chain=dstnat action=dst-nat in-interface-list=VLAN src-address-list=!EXCLUDED dst-port=53 protocol=tcp to-addresses=10.0.0.10
add chain=dstnat action=dst-nat in-interface-list=VLAN src-address-list=!EXCLUDED dst-port=53 protocol=udp to-addresses=10.0.0.10


Finally HAIRPIN NAT SourceNAT Rule for the users within the same subnet/vlan as Adguard for their use of ADGUARD to work properly.
add chain=srcnat action=masquerade dst-address=10.0.0.0/24 src-address=10.0.0.0/24

Thank you for your input. I already did the necessary changes to the Mikrotik.
Yes, I do use Adguard as my DNS service for all of the users.

When the using this DNS server address causes a network interruption "Your connection was interrupted"
# ADDRESS GATEWAY DNS-SERVER
0 10.0.0.0/24 10.0.0.1 10.0.0.1
1 10.0.10.0/24 10.0.10.1 10.0.10.1
2 10.0.20.0/24 10.0.20.1 10.0.20.1

To resolve this issue, I used the Adguard IP for the DNS server
# ADDRESS GATEWAY DNS-SERVER
0 10.0.0.0/24 10.0.0.1 10.0.0.10
1 10.0.10.0/24 10.0.10.1 10.0.0.10
2 10.0.20.0/24 10.0.20.1 10.0.0.10

I will further check if there will be an incorrect IP for the client with this refresh confirmation.