When I activate VLAN filter I loose access to my Mikrotik device (I’ts an HAP ac2 btw). I had to reset it and backup. DHCP also doesn’t work and I just noticed, I’m lost and this is giving me headache.
To configure without headache do the following. (temporary)
Take ether5 off the bridge ( so not identifed on /interface bridge ports or /interface bridge vlans )
Give ether5 its own IP address like 192.168.55.1/24
Change IPV4 settings on desktop or laptop and give it an Ip address of 192.168.55.5 for example.
You can now config the router safe from any bridge vlan changes by plugging into ether5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Ether5 is where I recieve Internet, I tried to disconnect it from the bridge and had to reset again. You mean as a port of the bridge or as a subinterface? Becouse as a subinterface doesn’t let me do it and as a port just told you what happened before.
Sorry didnt realize ether5 was internet, let me rephrase… Take any one ethernet port ( not WAN ) that you can temporarily modify ( ether1,2,3,4 ??? ) off the bridge.
So why was ether5 on your bridge ports then if it was the WAN ???
But the other ports are not connected phisically to the network, does that matter? Anyways I’m gonna try. I guess the “Internet port” should be ether1 but in my company they have connected it to ether5 and in defconf, this ether5 comes connected to bridgelocal and if you disconnect it you loose access to the device and have to reset it.
There are control freaks here who think you should have to go into the router/switch configuration to explicitly enable the port when plugging a new device in. Me, I just bridge all the LAN-side ports and be done with it. Decide which kind of network admin you are, and do it that way.
The real point here is that for normal use, you should never bridge the WAN port to the LAN. That bypasses the firewall and NAT layers!
The only exception I can think of is that you’re running an old-school direct-Internet-access service straight out of the late 1980s, as when you’re distributing a public AS block in an ISP, or you’re doing IPv6-only, or similar.
I guess the “Internet port” should be ether1 but in my company they have connected it to ether5
That’s perfectly fine. I do the same thing on my hAP ax³ here because of the MT engineers’ questionable design decision to make ether1 the device’s sole PoE port. My cable modem neither provides nor consumes PoE, and so with this righteous justification, I moved the WAN port to the other end of the device. 
I don’t use PoE on that device today, but I now have that option without reconfiguring my Internet gateway first.
RouterOS is uncommonly flexible. Your job as admin is to tell it what you want it to do, not the other way around.
Then changing ether1 to be the Internet port should be all? That makes sense becouse in that way I could activate the vlan filtering in the bridge and make VLANs to create the network 99 (guests network). Thank you I’ll try. Please if I’m wrong or it is something missing I would be grateful if you communicate to me. Thank you tangent for the explanation.
I just tried and cant make connection with no other port that is out of the local bridge, don’t know why. I’m gonna try to make the WLANs run in other bridge appart from the local one. Should I connect ether1 to the local bridge and connect to the bridge through it or I just keep connecting to the bridge with ether5?
I rode this post http://forum.mikrotik.com/t/can-someone-tell-me-how-to-make-a-capsman-guest-network-with-new-drivers-ax-and-ac-devices/171363/1 that says that if you create a VLAN on the ether port that is connected your mikrotik device and you attach it as a port in guests bridge should work, but doesn’t for me. Is that well configured or not? And another point is that my DHCP doesn’t work properly, it is not assigning the IPs well and devices don’t appear in leases. When I connect to my guests Wi-Fi gives me IPs from the local bridge and not even in the range of local Wi-Fi DHCP. I need help.
#
apr/16/2024 14:54:48 by RouterOS 6.49.10
# software id = IJH1-AHYL
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D7D1923
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name="2.4Ghz(FA)"
add band=5ghz-a/n/ac extension-channel=XXXX name="5Ghz(FA)"
/interface bridge
add name=bridge_guest
add admin-mac=08:55:31:77:CF:07 auto-mac=no name=bridge_spa
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-77CF0B wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-77CF0C wireless-protocol=802.11
/interface vlan
add interface=ether5 name=vlan_guest vlan-id=10
/caps-man datapath
add bridge=bridge_spa client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_WIFI
add bridge=bridge_guest client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_GUEST
/caps-man security
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=no encryption=aes-ccm \
group-encryption=aes-ccm name=SPA_WIFI
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm group-key-update=10m name=SPA-GUEST
/caps-man configuration
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_WIFI datapath.bridge=bridge_spa hw-retries=4 mode=ap \
multicast-helper=full name=SPA_WIFI_2.4GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="5Ghz(FA)" channel.skip-dfs-channels=yes country=spain datapath=\
SPA_WIFI datapath.bridge=bridge_spa guard-interval=any hw-retries=4 mode=\
ap multicast-helper=full name=SPA_WIFI_5GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_GUEST hw-retries=4 mode=ap multicast-helper=full name=\
SPA_GUEST security=SPA-GUEST ssid=SPA_GUEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool0 ranges=192.168.101.80-192.168.101.99
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.15
/ip dhcp-server
add address-pool=pool0 disabled=no interface=bridge_spa name=SPA_WIFI
add address-pool=dhcp_pool1 disabled=no interface=bridge_guest name=SPA_GUEST
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge_spa
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
master-configuration=SPA_WIFI_2.4GHz name-format=identity \
slave-configurations=SPA_GUEST
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration=SPA_WIFI_5GHz name-format=identity
/interface bridge port
add bridge=bridge_spa interface=ether2
add bridge=bridge_spa interface=ether3
add bridge=bridge_spa interface=ether4
add bridge=bridge_spa interface=ether5
add bridge=bridge_spa interface=wlan1
add bridge=bridge_spa interface=wlan2
add bridge=bridge_guest interface=vlan_guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_spa list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge_spa discovery-interfaces=bridge_spa enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.101.195/24 interface=bridge_spa network=192.168.101.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
/ip dhcp-client
add disabled=no interface=bridge_spa
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" in-interface-list=WAN \
src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=SPA_WADMIN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN