Hi, I bought two CSS610s for aggregating multiple networks over a single cable using VLAN as the configuration shown in the following picture:

Switch A is in the living room and connects to the router, NVR, and TV.
Switch B is enclosed in a metal media box in the wall with ISP's ONU and cables to all rooms.
The main goal of VLAN is splitting WAN and LAN. However, I noticed that all devices connected to the two CSS610s have extremely slow or no Internet access. While doing a ping on those devices, I noticed something very odd:
ping from the router to the devices connected to the two switches: reachable with almost no packet loss.
ping from the devices connected to the two switches to the router or internet: reachable with serious packet loss
The NVR can capture videos from CCTV cameras with no issue, but the NVR has no access to the internet and is unable to view videos from the cloud.
Devices connected to the router have internet access with no issues.
I have wondered whether the CCTV cameras drag the performance since I have read some articles online says CCTV cameras and NVR better to be under a separate router and connect that router to the main router in order to avoid network conjunction issues, but I tried removing the whole CCTV system from the network and the problem still exists.
Any help will be appreciated.
My VLAN settings on both CSS610s:

What kind of device is your router (on the far left of your diagram)? Is it picky about which port to connect towards internet? It might be detecting loop as you're connecting router and switch using two physical connections and RSTP (nowdays enabled by default on most switches and bridges) ignores VLANs, so it's likely detecting a loop. So you may have to set involved ports as edge ports on both devices (router and switch) ... or disable RSTP on both devices (but be careful not to create a loop somewhere).

How about the internet on the far right side of diagram? What kind of device is there? A simple ONT which foes more or less only conversion between different media (GPON to ethernet) or is it doing more than that?

What kind of device is your router (on the far left of your diagram)? Is it picky about which port to connect towards internet? It might be detecting loop as you're connecting router and switch using two physical connections and RSTP (nowdays enabled by default on most switches and bridges) ignores VLANs, so it's likely detecting a loop. So you may have to set involved ports as edge ports on both devices (router and switch) ... or disable RSTP on both devices (but be careful not to create a loop somewhere).

How about the internet on the far right side of diagram? What kind of device is there? A simple ONT which foes more or less only conversion between different media (GPON to ethernet) or is it doing more than that?

The router is an Asus AX11000Pro, I use a random router image here for demonstration purposes. I have tried disabling RSTP for all ports but it can't fix the problem. The ONT is just a simple GPON to ethernet modem.

As I wrote, your router will have to cooperate in that non-standard setup of yours. Do some research about what can be done on it.

What he is doing is in a way similar to what I am doing. My cable internet terminates in my family room and connects to a CSS326 switch (where it gets encapsulated on VLAN 100). That CSS326 has a trunk to another CSS326 in my garage data cabinet. One port of the garage CSS326 is VLAN 100 (untagged) and connects to a port on my RB4011 router. The several LANs that use the cable internet then come out of the RB4011 and connect either as untagged LANs to the same garage CSS326 switch or for a couple lightly used LANs as part of a VLAN trunk port. Most of those LANs also go back to the family room CSS326 via the VLAN trunk. I do have RSTP disabled on all those ports involved.

All works just fine...

Yes, it works fine. Because your RB4011 cooperates as it's flexible enough to take necessary config without womiting. Not all routers are as flexible. Or are flexible but configured in a non-compatible way (by ISP). Hence my question about ability to configure the "black box" router on diagram by @OP.

For example: my ISP is giving out a device which can be router (or can be configured in bridge mode). It has a port clearly marked as WAN and has a few LAN ports. Now, my ISP offers IPTV as multicasts over VLAN and any of those LAN ports can be configured as "combined" port (data+IPTV). I happen to know that IPTV VLAN is simply switched between WAN port and LAN port ... which very likely means that WAN port is also member of same LAN bridge. And if that bridge has xSTP enabled, it will cause problems if that device is connected to same switch with two cables ... unless both sides are properly configured for such connection (e.g. xSTP disabled on those ports on both sides) ... which is not supported on device my ISP is handing out.

Yes, it works fine. Because your RB4011 cooperates as it's flexible enough to take necessary config without womiting. Not all routers are as flexible. Or are flexible but configured in a non-compatible way (by ISP). Hence my question about ability to configure the "black box" router on diagram by @OP.

Completely agree. In his other post on this same subject, I had asked what is the unnamed router on the left. In my case, both my cable and fiber internet ISPs provide a modem that operated in bridge mode. The cable comes into my family room and runs through the two switches as described in my previous post. The fiber ONT is just a few inches from the RB4011 and is cabled directly into one of the RB4011 ports.

No it’s still no use.

A shot in the dark, what if you add VLAN 10 and put a check mark for SFP1 on both switches. Does it affect anything?

A shot in the dark, what if you add VLAN 10 and put a check mark for SFP1 on both switches. Does it affect anything?

I have tried, but still no use.

The problem has been temporarily solved.
I noticed that my router has the same MAC address on its LAN ports as on the WAN ports, I didn't overthink this since I assumed that VLAN would split these two ports traffic apart, and I was wrong.
I use ACL to force redirect all packets that have VLAN ID 30 from SFP+1 to port 2, and everything on Switch B works now. Hope Mikrotik will fix this bug in the future SWOS Lite release.

I wouldn't put the blame on the switch, your router is advertising the same MAC address on two (I assume) different interfaces. This would not be expected behavior from typical equipment.

Hope Mikrotik will fix this bug in the future SWOS Lite release.

It isn't a bug as such. Switches may support either shared VLAN learning (SVL) or independent VLAN learning (IVL) modes of operation:
In SVL mode there is a single MAC address table so any learnt address applies to all VLANs.
In IVL mode there is a MAC address table for each VLAN so the same MAC address can be associated with different ports in each VLAN.

AFAIK SwOS Lite only supports SVL, whereas SwOS supports SVL and IVL (configurable). I wouldn't expect this to change.

Hope Mikrotik will fix this bug in the future SWOS Lite release.

It isn't a bug as such. Switches may support either shared VLAN learning (SVL) or independent VLAN learning (IVL) modes of operation:
In SVL mode there is a single MAC address table so any learnt address applies to all VLANs.
In IVL mode there is a MAC address table for each VLAN so the same MAC address can be associated with different ports in each VLAN.

AFAIK SwOS Lite only supports SVL, whereas SwOS supports SVL and IVL (configurable). I wouldn't expect this to change.

I see, but anyway I really hope they can add this (IVL) feature to SWOS Lite firmware in the future since CSS610 is probably the only managed switch that has 2 SFP+ ports, 8 Gigabit ports, and fits into small spaces like a media box.