I recently installed a CCR2004 12 SFP+ router and have been trying to set it up and get familiar with routerOS. I chose the device because of the many sfp+ ports to connect to devices, aside from routerOS. I have a vlan (VLAN 10) under the bridge interface which has it's addresses and DHCP server setup and working. This vlan is untagged to port 11 and tagged to port 12 on the bridge where it eventually gives access to an access point. when I connect a device to the access point under vlan 10, I get the proper dhcp assignment and I can ping another device within the vlan connected to port 11. However when trying to make a firewall rule to disallow traffic between the two hosts, it doesn't seem to apply and can still ping to device connected to port 11. Attached is my config. Line 80 is the firewall rule in question, and I am still allowed to ping even when disabling the recommended default rules below which I know one deals with letting established connections through. Also tried input chain, still won't work.

Thanks

Since gateways are MT interfaces, one can always ping the vLAN gateway but one should not be able to ping other users or worse access them ( I mean across vlans ).

However when trying to make a firewall rule to disallow traffic between the two hosts, it doesn't seem to apply and can still ping to device connected to port 11.

Firewall rules act on L3 (IP) ... and that happens when router does routing between two devices. Routing is when both devices are aware of a "gateway" between them.

That you did was to establish a bridge between both ports (doesn't matter if one is tagged and the other untagged). Bridge is L2 entity, similar to switch. And devices talk to each other "directly" (from IP point of view), without help of router. Hence they don't traverse any of firewall stuff in router.

Now, if you insist on filtering traffic between two bridged ports, you have two possibilities:

1. go into /interface/bridge/filter and create some filters which will drop traffic you don't want to allow to pass
   Your device doesn't feature switch chip, so I don't think you'd have to set hw=no on any of involved ports ... but if your filters won't seem to work, you can try to do it anyway
2. create firewall filter rules, but for bridge to consult them you have to set /interface/bridge/settings/set use-ip-firewall-for-vlan=yes. You may have to disable hw (see previous bullet) on involved ports. And beware, when firewall rules are used on bridge traffic, some features are not available (e.g. in-interface or out-interface, etc.) ... filter rules will be accepted, but they won't match any traffic

All in all you have to ask yourself why would you place two devices into same IP subnet but would like to selectively pass traffic between them.

BTW, since your device is without switch chip, it's not very well suited for switch tasks (all traffic will have to pass general purpose CPU).

Why do you have an IP pool for the bridge and NOT for vlan80>> Dont need one for the bridge
If you want another subnet create a vlan.......
Same issue with dhcp-server.
Okay its clear you communicated about two vlans, but you failed to mention another subnet........!!

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan80 vlan-id=80
add interface=bridge1 name=vlan11 vlan-id=11

/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool80 ranges=192.168.80.2-192.168.80.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan11 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp2
add address-pool=dhcp_pool80 interface=vlan80 name=dhcp8

Basically all access ports except sfp-sfpplus12 which is a trunk port carrying the Trusted subnet vlan10 and vlan80.

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus1 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus2 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus3 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus4 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus5 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus6 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus7 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus8 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus9 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus10 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus11 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp28-1 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp28-2 pvid=11

I always manually insert the untagged ports so I can cross check visually with my bridge ports and so that it shows up on an export as well.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,\
sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp28-1,sfp28-2 vlan-ids=11
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 untagged=sfp-sfpplus11 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 vlan-ids=80

Fix your Interface list members
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan11 list=LAN comment="user lan"
add interface=vlan80 list=LAN
add interface=vlan11 list=MGMT comment=Trusted Subnet
add interface=vlan10 list=CCTV
add interface=vlan80 list=CCTV

Note: vlan11, if its the trusted subnet, is where all smart devices on your network should get their IP address from!

Logically need this as well.
/interface list
add name=WAN
add name=LAN
add name=CCTV
add name=MGMT

Need to change....
/ip address
add address=192.168.1.1/24 interface=vlan11 network=192.168.1.0
add address=192.168.80.1/24 interface=vlan80 network=192.168.80.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1
add address=192.168.80.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.80.1


/ip neighbor discovery-settings
set discover-interface-list=MGMT

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

+++++++++++++++++++++++++++++++++++

Lastly clean up and simplify firewall.
You cannot block people from each other in the same subnet......... Firewall rules are L3 (ip address), users within the same subnet talk at L2 ( mac address ).

/ip firewall address-list { set dhpc static leases for these users }
add address=192.168.1.X list=allowed_to_router comment="Admin desktop wired"
add address=192.168.1.Y list=allowed_to_router comment="Admin laptop wired"
add address=192.168.1.Z list=allowed_to_router comment="Admin laptop WIFI"
add address=192.168.1.AB list=allowed_to_router comment="Admin smartphone/ipad WIFI"
add address=192.168.1.37 list=allowed_to_cctv
add address=192.168.1.209 list=allowed_to_cctv
add address=192.168.10.247 list=allowed_to_cctv
add address=192.168.10.246 list=allowed_to_cctv
add address=192.168.1.251 list=allowed_to_cctv

/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=allowed_to_router Comment="ADMIN ONLY"
add action accept chain=input comment="Users to Services" dst-port=53 protocol=udp in-interface-list=LAN
add action accept chain=input comment="Users to Services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=CCTV src-address-list=allowed_to_cctv
add action=drop chain=forward comment="Drop all else"

Assumption was that all subnets need internet access.
If the cctv vlans do not require internet access then rewrite the LAN to WAN rule into two rules
and order of rules is important:

add action=drop chain=forward in-interface-list=CCTV out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

If by chance, only vlan80 should not have internet access, one could modify the current single rule like so:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN src-address-list=!192.168.80.0/24