Why do you have an IP pool for the bridge and NOT for vlan80>> Dont need one for the bridge
If you want another subnet create a vlan.......
Same issue with dhcp-server.
Okay its clear you communicated about two vlans, but you failed to mention another subnet........!!
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan80 vlan-id=80
add interface=bridge1 name=vlan11 vlan-id=11
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool80 ranges=192.168.80.2-192.168.80.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan11 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp2
add address-pool=dhcp_pool80 interface=vlan80 name=dhcp8
Basically all access ports except sfp-sfpplus12 which is a trunk port carrying the Trusted subnet vlan10 and vlan80.
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus1 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus2 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus3 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus4 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus5 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus6 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus7 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus8 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus9 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus10 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus11 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp28-1 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp28-2 pvid=11
I always manually insert the untagged ports so I can cross check visually with my bridge ports and so that it shows up on an export as well.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,\
sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp28-1,sfp28-2 vlan-ids=11
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 untagged=sfp-sfpplus11 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12 vlan-ids=80
Fix your Interface list members
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan11 list=LAN comment="user lan"
add interface=vlan80 list=LAN
add interface=vlan11 list=MGMT comment=Trusted Subnet
add interface=vlan10 list=CCTV
add interface=vlan80 list=CCTV
Note: vlan11, if its the trusted subnet, is where all smart devices on your network should get their IP address from!
Logically need this as well.
/interface list
add name=WAN
add name=LAN
add name=CCTV
add name=MGMT
Need to change....
/ip address
add address=192.168.1.1/24 interface=vlan11 network=192.168.1.0
add address=192.168.80.1/24 interface=vlan80 network=192.168.80.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1
add address=192.168.80.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.80.1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
+++++++++++++++++++++++++++++++++++
Lastly clean up and simplify firewall.
You cannot block people from each other in the same subnet......... Firewall rules are L3 (ip address), users within the same subnet talk at L2 ( mac address ).
/ip firewall address-list { set dhpc static leases for these users }
add address=192.168.1.X list=allowed_to_router comment="Admin desktop wired"
add address=192.168.1.Y list=allowed_to_router comment="Admin laptop wired"
add address=192.168.1.Z list=allowed_to_router comment="Admin laptop WIFI"
add address=192.168.1.AB list=allowed_to_router comment="Admin smartphone/ipad WIFI"
add address=192.168.1.37 list=allowed_to_cctv
add address=192.168.1.209 list=allowed_to_cctv
add address=192.168.10.247 list=allowed_to_cctv
add address=192.168.10.246 list=allowed_to_cctv
add address=192.168.1.251 list=allowed_to_cctv
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=allowed_to_router Comment="ADMIN ONLY"
add action accept chain=input comment="Users to Services" dst-port=53 protocol=udp in-interface-list=LAN
add action accept chain=input comment="Users to Services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=CCTV src-address-list=allowed_to_cctv
add action=drop chain=forward comment="Drop all else"
Assumption was that all subnets need internet access.
If the cctv vlans do not require internet access then rewrite the LAN to WAN rule into two rules
and order of rules is important:
add action=drop chain=forward in-interface-list=CCTV out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
If by chance, only vlan80 should not have internet access, one could modify the current single rule like so:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN src-address-list=!192.168.80.0/24