(1) Would ensure these are complete though........
Missing PVID!!
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
(2) Then, you define wlan3 and wlan4, but
where are they on bridge ports??
Should be:
/interface bridge port
add bridge=bridge comment="Trunk to MT Ap/swtich" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=\
"ether2[Mikrotik-AP]"
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether3[NetgeatSW]" pvid=2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether4[OGNW]" pvid=2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether5[Management]" pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
(3) Fix your Interface list members!!
/interface list member
add comment=defconf interface="ether1[WAN]" list=WAN
add interface=vlan2-home list=LAN
add interface=vlan10-guest list=LAN
add interface="ether5[Management]" list=LAN
(4) I am very confused as your use of ethernet 5>>>
REMOVE the Ip address you entered for it !!!
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan2-home network=\
192.168.88.0
add address=192.168.89.1/24 interface=vlan10-guest network=192.168.89.0
add address=192.168.88.1/24 interface="ether5[Management]" network=\
192.168.88.0
(5) This is a potentially dangerous config line and I would remove it for now, and then state what you meant by having it.......
add action=accept chain=input dst-port=80 protocol=tcp
(6) Get rid of the not-required noise in the firewall rules not needed or duplicate in purple.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp
add action=reject chain=input comment=DDOS-UDP dst-port=53 in-interface=\
"ether1[WAN]" protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment=DDOS-TCP dst-port=53 in-interface=\
"ether1[WAN]" protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else" disabled=
yes
Should look like.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow trusted LAN" in-interface=vlan2-home
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" { put this in last after the allow LAN rule, or you will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"