Cannot get VLAN DHCP Assignment on Guest WLAN

whattha · February 11, 2025, 11:01pm

Hello MikroTik Experts.

I have a hAP ax2 (LAN Ports, WLAN, Guest WLAN) connected to a RB5009UGSIN (WAN, LAN) via dedicated Trunk (hAP ax2 ether5 -to- RB5009UGSIN ether6).

The RB5009UGSIN is the main router for the site and handles the NAT and Firewall Rules for the site.
The hAP ax2 is used to connect some LAN devices, but is primarily used for the WLAN and Guest WLAN. There is no WAN connection and only a few Firewall Rules setup to deal with VLAN.

I have tried a number of methods to get the Guest WLAN setup on a VLAN and functioning properly. All of the tutorials are years old and only worked on older versions of RouterOS that I have in another hAP ax2 with Guest WLAN setup on VLAN (working). The only thing that I can conclude is that there is something that has been changed in the newer version of RouterOS that is not allowing my setup to work.

I am trying to setup the Guest WLAN to use VLAN 52, but I cannot get the DHCP Server to assign/issue an IP Address from the Pool.

Last night and this morning I read over the “Using RouterOS to VLAN your network” tutorial from pcunite, which is an AWESOME post. I have also been scouring over ther RouterOS Docs on DHCP, VLAN, IP Routing, and WLAN. I have zero success. At this point, I am at a complete loss.

What is working…

Internet Access on LAN and WLAN
DHCP assignment on LAN
DHCP assignment on WLAN

Here is an export of my Config…

[admin@4306io_hAPax2] > export
# 2025-02-11 21:50:07 by RouterOS 7.14.1
# software id = QX75-F9BV
#
# model = C52iG-5HaxD2HaxD
# serial number = [****REDACTED****]
/interface bridge
add name=bridge1-primary vlan-filtering=yes

/interface ethernet
set [ find default-name=ether5 ] comment="[router-uplink] mikrotik rb5009ugs" name=ether5-rb5009ugs-uplnk

/interface vlan
add comment="[guest-vlan52] **TDF**" interface=bridge1-primary name=vlan52-guest vlan-id=52

/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=ROUTER-TRUNK

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180-5885 name=channel1-5g-ax width=20/40/80mhz
add band=5ghz-ac disabled=no frequency=5180-5885 name=channel2-5g-ac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412-2462 name=channel3-2g-ax width=20/40mhz
add band=2ghz-n disabled=no frequency=2412-2462 name=channel4-2g-n width=20/40mhz

/interface wifi datapath
add comment="[guest-wifi] **TDF**" disabled=no name=datapath1-guest-vlan52 vlan-id=52

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment="[primary] **HK**" disabled=no name=sec1-primary
add authentication-types=wpa2-psk,wpa3-psk comment="[legacy] **THJJJ**" disabled=no name=sec2-legacy
add authentication-types=wpa2-psk,wpa3-psk comment="[guest] **TDF**" disabled=no name=sec3-guest

/interface wifi
set [ find default-name=wifi1 ] channel=channel1-5g-ax channel.band=5ghz-ax .width=20/40/80mhz comment=**HK**_5g \
    configuration.country="United States" .mode=ap .ssid=**HK**_5g disabled=no name=wifi1-primary-5g security=\
    sec1-primary security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel=channel3-2g-ax comment=**HK**_2g configuration.country="United States" \
    .mode=ap .ssid=**HK**_2g disabled=no name=wifi2-primary-2g security=sec1-primary \
    security.authentication-types=wpa2-psk,wpa3-psk
add comment="[guest] **TDF**_5g" configuration.mode=ap .ssid=**TDF**_5g datapath.client-isolation=no \
    disabled=no mac-address=D6:01:C3:C1:4B:6D master-interface=wifi1-primary-5g name=wifi3-guest-5g security=\
    sec3-guest security.authentication-types=wpa2-psk,wpa3-psk
add comment="[guest] **TDF**_2g" configuration.mode=ap .ssid=**TDF**_2g datapath.client-isolation=yes \
    disabled=no mac-address=D6:01:C3:C1:4B:6D master-interface=wifi2-primary-2g name=wifi4-guest-2g security=\
    sec3-guest

/ip pool
add name=pool1-default ranges=192.168.1.100-192.168.1.124
add name=pool3-guest-vlan52 ranges=192.168.52.100-192.168.52.150
add name=pool2-guest ranges=192.168.1.125-192.168.1.150

/ip dhcp-server
add address-pool=pool1-default interface=bridge1-primary lease-time=1d name=dhcp1-primary
add address-pool=pool3-guest-vlan52 comment="[guest-vlan52] **TDF**" interface=vlan52-guest lease-time=3h name=\
    dhcp2-vlan52-guest

/interface bridge port
add bridge=bridge1-primary interface=ether2
add bridge=bridge1-primary interface=ether3
add bridge=bridge1-primary interface=ether4
add bridge=bridge1-primary interface=ether5-rb5009ugs-uplnk
add bridge=bridge1-primary interface=wifi1-primary-5g
add bridge=bridge1-primary interface=wifi2-primary-2g
add bridge=bridge1-primary interface=ether1
add bridge=bridge1-primary comment="[guest] **TDF**_5g" frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-guest-5g pvid=52
add bridge=bridge1-primary comment="[guest] **TDF**_2g" frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guest-2g pvid=52
add bridge=bridge1-primary comment="[guest-vlan52] **TDF**" frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan52-guest pvid=52

/interface bridge vlan
add bridge=bridge1-primary comment="[guest-vlan52] **TDF**" tagged=wifi3-guest-5g,wifi4-guest-2g,vlan52-guest \
    vlan-ids=52

/interface list member
add disabled=yes interface=ether1 list=WAN
add interface=bridge1-primary list=LAN
add interface=vlan52-guest list=VLAN
add interface=ether5-rb5009ugs-uplnk list=ROUTER-TRUNK
add interface=wifi3-guest-5g list=VLAN
add interface=wifi4-guest-2g list=VLAN

/interface wifi capsman
set interfaces="" package-path="" require-peer-certificate=no upgrade-policy=none

/ip address
add address=192.168.1.2/24 interface=bridge1-primary network=192.168.1.0
add address=192.168.10.2/24 comment="[router-uplink] mikrotik rb5009ugs" interface=ether5-rb5009ugs-uplnk network=\
    192.168.10.0
add address=192.168.52.1/24 comment="[vlan52-guest] **TDF**" interface=vlan52-guest network=192.168.52.0

/ip dhcp-client
add disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220 gateway=192.168.1.2 netmask=24
add address=192.168.52.0/24 dns-server=192.168.1.1 gateway=192.168.52.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220

/ip firewall filter
add action=accept chain=input comment="[ronin] Allow & Establish Related" connection-state=established,related
add action=accept chain=input comment="[ronin] Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="[ronin] Allow & Establish Related" connection-state=established,related
add action=accept chain=forward comment="[ronin-vlan52-guest] **TDF** - Internet Access Only" connection-state=\
    new in-interface-list=VLAN out-interface-list=ROUTER-TRUNK

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=bridge1-primary

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10 vrf-interface=bridge1-primary
add comment="[router-uplink]" disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main \
    suppress-hw-offload=no

/system identity
set name=4306io_hAPax2

/system note
set show-at-login=no
[admin@4306io_hAPax2] >

Any assistance would be very much appreciated.

gigabyte091 · February 12, 2025, 6:32am

So you need your ax2 to work as a AP/switch only. In that case you don’t need 80% of this configuration.

Also I can see you tried to mess with capsman ?

For only one AP capsman is not needed.

Can you post your RB5009 config ?

If your RB5009 handles dhcp and nat then why did you setup your ax2 to do the same ?

whattha · February 12, 2025, 5:46pm

Thank you so much for your response.

Correct. I am using this as an AP/Switch Only. I haven’t had much luck finding anything recent (last 2yrs) on how to set this up and have been trying to adhoc tutorials, manuals, and whatever examples I can find. I did attempt to enable CAPsMan and it was a mess. I disabled it on both sides, but there is still pieces of it in the CLI Config that I haven’t been able to clear.

As requested, here is the config for my RB5009…

[admin@4306io_RB5009UGSIN] > export
# 2025-02-12 11:28:09 by RouterOS 7.16.1
# software id = 6S4A-2AI1
#
# model = RB5009UG+S+
# serial number = [****REDACTED****]

/interface bridge
add admin-mac=F4:1E:57:82:E6:D5 auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment=2.5g name=ether1-2.5g
set [ find default-name=ether2 ] comment="sys  v3 [mcsvr]" name=ether2-sys-v3
set [ find default-name=ether3 ] comment="sys  v2" name=ether3-sys-v2
set [ find default-name=ether4 ] comment="[poe-uplink] planet 24prt" name=ether4-plnt-uplnk
set [ find default-name=ether6 ] comment="[wifi-uplink] mikrotik hap ax2" name=ether6-hap-ax2-uplnk
set [ find default-name=ether7 ] comment="[switch-uplink] netgear 24prt" name=ether7-ntgr-uplnk
set [ find default-name=ether8 ] comment=wan name=ether8-wan
set [ find default-name=sfp-sfpplus1 ] comment="10g sfp+" name=sfp-sfp+10g

/interface vlan
add comment="[guest-vlan52] **TDF**" interface=bridge-lan name=vlan52-guest vlan-id=52

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=WIRELESS-TRUNK

/ip pool
add name=pool1-default ranges=192.168.1.75-192.168.1.100
add name=pool3-guest-vlan52 ranges=192.168.52.50-192.168.52.99
add name=dhcp_pool3 ranges=192.168.52.1,192.168.52.10-192.168.52.20

/ip dhcp-server
add address-pool=pool1-default interface=bridge-lan lease-time=1d name=dhcp1-default
add address-pool=pool3-guest-vlan52 comment="[guest-vlan52] **TDF**" interface=vlan52-guest \
    lease-time=3h name=dhcp2-vlan52-guest

/disk settings
set auto-media-interface=bridge-lan auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2-sys-v3
add bridge=bridge-lan comment=defconf interface=ether3-sys-v2
add bridge=bridge-lan comment=defconf interface=ether4-plnt-uplnk
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6-hap-ax2-uplnk
add bridge=bridge-lan comment=defconf interface=ether7-ntgr-uplnk
add bridge=bridge-lan comment=defconf disabled=yes interface=ether8-wan
add bridge=bridge-lan comment=defconf interface=sfp-sfp+10g
add bridge=bridge-lan interface=ether1-2.5g

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge-lan comment="[guest-vlan52] **TDF**" tagged=ether6-hap-ax2-uplnk,bridge-lan \
    vlan-ids=52

/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether8-wan list=WAN
add interface=vlan52-guest list=VLAN
add interface=ether6-hap-ax2-uplnk list=WIRELESS-TRUNK

/interface wifi cap
set enabled=yes

/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no radio-mac=00:00:00:00:00:00

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-lan network=192.168.1.0
add address=192.168.10.1/24 comment="[wifi-uplink] mikrotik hapax2" interface=ether6-hap-ax2-uplnk \
    network=192.168.10.0
add address=192.168.52.2/24 comment="[guest-vlan52] **TDF**" interface=vlan52-guest network=\
    192.168.52.0

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-2.5g
add comment="wan dhcp client" interface=ether8-wan

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,192.168.1.1 gateway=192.168.1.1
add address=192.168.52.0/24 dns-server=192.168.1.1 gateway=192.168.52.2

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall filter
add action=accept chain=input comment="[guest-wifi tcp] **TDF**" disabled=yes in-interface=bridge-lan \
    log-prefix="[guest-wifi-52]" protocol=tcp src-address=192.168.52.0/24
add action=accept chain=input comment="[guest-wifi udp] **TDF**" disabled=yes in-interface=bridge-lan \
    log-prefix="[guest-wifi-52]" protocol=udp src-address=192.168.52.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="[ronin] Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="[ronin-vlan52-guest] **TDF** - Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="[ronin-vlan52-guest] **TDF** - Internet Access Only" \
    connection-state=new in-interface-list=WIRELESS-TRUNK out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
[****REDACTED****]

/ip route
add disabled=no dst-address=192.168.52.0/24 gateway=ether8-wan routing-table=main suppress-hw-offload=no
add comment="[wifi-uplink]" disabled=no distance=1 dst-address=192.168.52.0/24 gateway=192.168.10.2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN

/system clock
set time-zone-name=America/Chicago

/system identity
set name=4306io_RB5009UGSIN

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=time.nist.gov

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@4306io_RB5009UGSIN] > ]

gigabyte091 · February 12, 2025, 6:09pm

Okay, so if you want to use VLANs then go VLANs all the way.

Right now you are using VLAN with PVID 52 and native VLAN or VLAN1.

Also there is 192.168.10.0 subnet which is used for what exactly ? Uplink towards your AP ? That is not needed.

My advice, reset it to default configuration because I can see you messed with firewall rules to pass traffic between two subnets.

With default configuration that’s not needed as default configuration will pass traffic between VLANs by default.

When you have a fresh start I recommend you to take one port off bridge for configuration purposes so you don’t lock yourself out of the router and assign that port IP address manually and don’t forget to add it to the LAN interface list.

Then you are ready to make new configuration. First on your router then on your AP.

So decide how many VLANs do you need and what will be their purpose. Make a small network diagram of what are you trying to achieve.

whattha · February 12, 2025, 7:43pm

The 192.168.10.0 “network” was to setup a trunk between the two units as per an example on the MikroTik RouterOS Docs. I don’t feel that it’s necessary at all, but I set it up because I figured there is something specific about MikroTik that needs it. The Firewall Rules added for the VLAN was part of a tutorial or docs or something that I was thinking needed to be done. I have made a bunch of notes on my changes regarding the VLANs on both devices, so I can get them reconfigured back without any issues, but I can default them.

As far as I’m concerned, I can use the default VLAN 1 for the overall network. The RB5009 has a bunch of NAT rules on it and really is working like it’s supposed to. My confusion is on the hAP ax2 and setting up the Guest WLAN to be segmented away from everything else. Everything that I have read says VLAN is the only way or the best way, which is why I have gone this route. I could easily isolate the IP Range from a dedicated DCHP Server assigned to the Virtual WLAN Interfaces using Firewall Rule(s), no problem.

In regards to the Virtual WLAN Interfaces that needs to be created on the hAP ax2 as Slave Interfaces on the Primary WLAN, doesn’t the DHCP Server need to be setup on the hAP ax2?

It just seems that all of the docs and examples are for older versions of RouterOS and when I try to implement those setups, it either doesn’t work at all or some function says it can’t be configured because that Interface or whatever is a Slave. Super confusing and frustrating. Hopefully that information helps.

Overall, I like the MikroTik products and I am very appreciative of your assistance.

gigabyte091 · February 13, 2025, 5:23am

It not needed, a trunk is simply a specific port on a switch or a router that is configured to transmit data for VLANs we decide that we want to transmit to another device. (It could be another switch or access point for e.g.)

IMHO for a simple setup like your, default firewall configuration is more than enough. You can create two VLANs, create new interface list for the guest network and just separate them with firewall on L3. (They are already separated on L2, they would be different broadcast domains.)

Imagine your ax2 as a simple switch connected to your router. No VLANs, just simple network. You plug your PC to the switch, first thing PC will do, if static IP address is not configured, is to send Discover message (broadcast message) and find DHCP server and that is done on L2 as there is no IP address yet. (Packet will have destination address of 255.255.255.255 which is broadcast address and source address of 0.0.0.0 as device didn’t get their IP address yet.)

So now you have your ax2 as a simple AP/switch. Your wireless interfaces are in the same bridge as your physical ports. As you connect to them after authentication same broadcast message will be transmitted by your device and will travel trough whole broadcast domain (Your desired VLAN for eg.) until DHCP server which is located on your router answer back.

I can recommend you youtube channels The network berg, The network trip, Mikrotik Indonesia and Main Mikrotik channel. Much much much better content for learning Mikrotik.

whattha · February 14, 2025, 12:00am

The Trunk between the 2 units is working fine, so I’ll just leave that in place. The only issue that I have with the entire setup is when I try to isolate the Guest WLAN using the VLAN 52 setup. Literally off of a VLAN setup, the Guest WLAN is fine (in terms on WiFi connectivity).

I agree that the Default Firewall Rules are just fine. I had only made adjustments because they were recommended in the VLAN Tutorial in the forum from pcunite.

I have removed/Disabled the DHCP Servers on the hAP ax2. I did setup VLAN 52, associated IP Address, associated DHCP Server on the RB5009 to serve for VLAN 52. On the RB5009, I setup the VLAN on the Bridge (bridge-lan). I am going through the configs further, but at this moment, I am still not pulling an IP Address on my Guest WLAN when I have the VLAN 52 connected to it.

On the VLAN 52 setup, I am not sure which Interface that I need it to be connected to, the Bridge and/or the Guest WLAN. On the RB5009, it would make sense to connect it to the Bridge because there is no WLAN capability on the device. That is where I have the VLAN 52 DHCP Server configured. On the hAP ax2, I am not sure if I need to be connected to the Guest WLAN Interface or the Bridge. I had it connected to the Bridge, but just moved it to the Guest WLAN and I have no change in terms of pulling an IP Address from the DHCP on the RB5009. On both devices, I have all of the ports and interfaces connected to a single Bridge for that device.

I have looked at the “Mastering VLAN Configuration on MikroTik, Step-by-Step Guide” video on The Network Berg YouTube channel because it’s literally the newest video that I could find. But… reading the comments (because it didn’t work), I saw that he was responding to someone who was trying to implement his process for a Guest WLAN as well and his response was that it wouldn’t work on the Guest WLAN and he would do another video on it.

I will look at the other channels that you recommended and see what I can find or figure out. What’s crazy to me is that it shouldn’t be this difficult. I have been working in IT and networking since the start of DSL, so this is driving me crazy. After I get some more items cleaned up, I will post the config for both units again.

I want to thank you again for you assistance and giving me some direction.

gigabyte091 · February 14, 2025, 4:50am

Please post your current configuration so we can see changes you made.

whattha · February 14, 2025, 5:31am

The Network Trip channel is good. I could read and follow the Indonesia because I needed the Closed Caption on top of trying to follow and read the screens. On the Network Trip channel, I watched “Static Routing on Mikrotik Devices for Beginners”, which part of that video was also applied to the “Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial”. I watched that video twice, then walked through it point-by-point.

I have only added the VLAN 52 to the system and left the VLAN 1 in the system as the default, which when everything is enabled, it’s all working properly, but still no change on the VLAN 52 setup. It looks like the connection between the RB5009 and the hAP ax2 is broken for the VLAN 52 component. I know only have the DHCP Servers setup on the RB5009 and trying to pass all of the WLAN VLAN 52 traffic to the RB5009 so that an IP Address is assigned/issued.

Here is the config for the RB5009 (main router)…

 [admin@4306io_RB5009UGSIN] > export
# 2025-02-13 23:08:24 by RouterOS 7.16.1
# software id = 6S4A-2AI1
#
# model = RB5009UG+S+
# serial number = [****REDACTED****]

/interface bridge
add admin-mac=F4:1E:57:82:E6:D5 auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment=2.5g name=ether1-2.5g
set [ find default-name=ether2 ] comment="ronin sys  v3 [mcsvr]" name=ether2-sys-v3
set [ find default-name=ether3 ] comment="ronin sys  v2" name=ether3-sys-v2
set [ find default-name=ether4 ] comment="[poe-uplink] planet 24prt" name=ether4-plnt-uplnk
set [ find default-name=ether6 ] comment="[wifi-uplink] mikrotik hap ax2" name=ether6-hap-ax2-uplnk
set [ find default-name=ether7 ] comment="[switch-uplink] netgear 24prt" name=ether7-ntgr-uplnk
set [ find default-name=ether8 ] comment=wan name=ether8-wan
set [ find default-name=sfp-sfpplus1 ] comment="10g sfp+" name=sfp-sfp+10g

/interface vlan
add comment="[guest-vlan52] **TDF**" interface=ether6-hap-ax2-uplnk name=vlan52-guest vlan-id=52

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=WIRELESS-TRUNK

/ip pool
add name=pool1-default ranges=192.168.1.100-192.168.1.150
add name=pool3-guest-vlan52 ranges=192.168.52.100-192.168.52.150
add name=dhcp_pool3 ranges=192.168.52.1,192.168.52.10-192.168.52.20

/ip dhcp-server
add address-pool=pool1-default interface=bridge-lan lease-time=1d name=dhcp1-default
add address-pool=pool3-guest-vlan52 comment="[guest-vlan52] **TDF**" interface=vlan52-guest \
    lease-time=3h name=dhcp2-vlan52-guest

/disk settings
set auto-media-interface=bridge-lan auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2-sys-v3
add bridge=bridge-lan comment=defconf interface=ether3-sys-v2
add bridge=bridge-lan comment=defconf interface=ether4-plnt-uplnk
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6-hap-ax2-uplnk
add bridge=bridge-lan comment=defconf interface=ether7-ntgr-uplnk
add bridge=bridge-lan comment=defconf disabled=yes interface=ether8-wan
add bridge=bridge-lan comment=defconf interface=sfp-sfp+10g
add bridge=bridge-lan interface=ether1-2.5g
add bridge=bridge-lan interface=vlan52-guest pvid=52

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge-lan comment="[guest-vlan52] **TDF**" tagged=ether6-hap-ax2-uplnk,bridge-lan \
    vlan-ids=52

/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether8-wan list=WAN
add interface=vlan52-guest list=VLAN
add interface=ether6-hap-ax2-uplnk list=WIRELESS-TRUNK

/interface wifi cap
set enabled=yes

/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no radio-mac=00:00:00:00:00:00

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-lan network=192.168.1.0
add address=192.168.10.1/24 comment="[wifi-uplink] mikrotik hapax2" interface=ether6-hap-ax2-uplnk \
    network=192.168.10.0
add address=192.168.52.1/24 comment="[guest-vlan52] **TDF**" interface=vlan52-guest network=\
    192.168.52.0

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-2.5g
add comment="wan dhcp client" interface=ether8-wan

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,192.168.1.1 gateway=192.168.1.1
add address=192.168.52.0/24 dns-server=1.1.1.1,208.67.222.222 gateway=192.168.52.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
[****REDACTED****]

/ip route
add comment="[wifi-vlan52-uplink]" disabled=yes distance=1 dst-address=192.168.52.0/24 gateway=\
    192.168.10.2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.52.0/32 gateway=ether6-hap-ax2-uplnk routing-table=main \
    suppress-hw-offload=no

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN

/system clock
set time-zone-name=America/Chicago

/system identity
set name=4306io_RB5009UGSIN

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=time.nist.gov

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@4306io_RB5009UGSIN] >

whattha · February 14, 2025, 5:32am

Here is the config for the hAP ax2…

 [admin@4306io_hAPax2] > export
# 2025-02-13 23:04:48 by RouterOS 7.14.1
# software id = QX75-F9BV
#
# model = C52iG-5HaxD2HaxD
# serial number = [****REDACTED****]

/interface bridge
add name=bridge1-primary vlan-filtering=yes

/interface ethernet
set [ find default-name=ether5 ] comment="[router-uplink] mikrotik rb5009ugs" name=ether5-rb5009ugs-uplnk

/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=ROUTER-TRUNK
add name=GUEST-WIFI

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180-5885 name=channel1-5g-ax width=20/40/80mhz
add band=5ghz-ac disabled=no frequency=5180-5885 name=channel2-5g-ac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412-2462 name=channel3-2g-ax width=20/40mhz
add band=2ghz-n disabled=no frequency=2412-2462 name=channel4-2g-n width=20/40mhz

/interface wifi datapath
add comment="[guest-wifi] **TDF**" disabled=no interface-list=GUEST-WIFI name=datapath1-guest-vlan52 \
    vlan-id=52

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment="[primary] **HK**" disabled=no name=sec1-primary
add authentication-types=wpa2-psk,wpa3-psk comment="[legacy] **THJJJ**" disabled=no name=sec2-legacy
add authentication-types=wpa2-psk,wpa3-psk comment="[guest] **TDF**" disabled=no name=sec3-guest

/interface wifi
set [ find default-name=wifi1 ] channel=channel1-5g-ax channel.band=5ghz-ax .width=20/40/80mhz comment=\
    **HK**_5g configuration.country="United States" .mode=ap .ssid=**HK**_5g disabled=no name=\
    wifi1-primary-5g security=sec1-primary security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel=channel3-2g-ax comment=**HK**_2g configuration.country=\
    "United States" .mode=ap .ssid=**HK**_2g disabled=no name=wifi2-primary-2g security=sec1-primary \
    security.authentication-types=wpa2-psk,wpa3-psk
add comment="[guest] **TDF**_5g" configuration.mode=ap .ssid=**TDF**_5g datapath=\
    datapath1-guest-vlan52 datapath.client-isolation=no disabled=no mac-address=D6:01:C3:C1:4B:6D \
    master-interface=wifi1-primary-5g name=wifi3-guest-5g security=sec3-guest security.authentication-types=\
    wpa2-psk,wpa3-psk
add comment="[guest] **TDF**_2g" configuration.mode=ap .ssid=**TDF**_2g datapath=\
    datapath1-guest-vlan52 datapath.client-isolation=yes disabled=no mac-address=D6:01:C3:C1:4B:6D \
    master-interface=wifi2-primary-2g name=wifi4-guest-2g security=sec3-guest

/ip pool
add name=pool1-default ranges=192.168.1.100-192.168.1.124
add name=pool3-guest-vlan52 ranges=192.168.52.100-192.168.52.150
add name=pool2-guest ranges=192.168.1.125-192.168.1.150

/interface bridge port
add bridge=bridge1-primary interface=ether2
add bridge=bridge1-primary interface=ether3
add bridge=bridge1-primary interface=ether4
add bridge=bridge1-primary interface=ether5-rb5009ugs-uplnk
add bridge=bridge1-primary interface=wifi1-primary-5g
add bridge=bridge1-primary interface=wifi2-primary-2g
add bridge=bridge1-primary interface=ether1
add bridge=bridge1-primary comment="[guest] **TDF**_5g" interface=wifi3-guest-5g pvid=52
add bridge=bridge1-primary comment="[guest] **TDF**_2g" interface=wifi4-guest-2g pvid=52
add bridge=bridge1-primary comment="[guest-vlan52] **TDF**" disabled=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=*1C pvid=52

/ip neighbor discovery-settings
set discover-interface-list=all

/interface bridge vlan
add bridge=bridge1-primary comment="[bridge-guest-vlan52] **TDF**" tagged=ether5-rb5009ugs-uplnk untagged=\
    wifi3-guest-5g,wifi4-guest-2g vlan-ids=52

/interface list member
add disabled=yes interface=ether1 list=WAN
add interface=bridge1-primary list=LAN
add interface=*1C list=VLAN
add interface=ether5-rb5009ugs-uplnk list=ROUTER-TRUNK
add interface=wifi3-guest-5g list=VLAN
add interface=wifi4-guest-2g list=VLAN
add interface=wifi3-guest-5g list=GUEST-WIFI
add interface=wifi4-guest-2g list=GUEST-WIFI
add interface=*1D list=GUEST-WIFI
add interface=*1C list=GUEST-WIFI
add interface=*1D list=VLAN

/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none

/ip address
add address=192.168.1.2/24 interface=bridge1-primary network=192.168.1.0
add address=192.168.10.2/24 comment="[router-uplink] mikrotik rb5009ugs" interface=ether5-rb5009ugs-uplnk \
    network=192.168.10.0
add address=192.168.52.2/24 comment="[vlan52-guest] **TDF**" interface=bridge1-primary network=\
    192.168.52.0
add address=192.168.52.3/24 comment="[vlan52-guest] **TDF**" disabled=yes interface=wifi4-guest-2g \
    network=192.168.52.0

/ip dhcp-client
add disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220 gateway=192.168.1.2 \
    netmask=24
add address=192.168.52.0/24 dns-server=192.168.1.1 gateway=192.168.52.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=bridge1-primary
add comment="[router-uplink]" disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main \
    suppress-hw-offload=no
add comment="[wifi-vlan52-link]" disabled=no distance=1 dst-address=192.168.52.0/24 gateway=192.168.10.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.52.0/24 gateway=ether5-rb5009ugs-uplnk pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/system clock
set time-zone-name=America/Chicago

/system identity
set name=4306io_hAPax2

/system note
set show-at-login=no
[admin@4306io_hAPax2] >

gigabyte091 · February 14, 2025, 6:36am

Again there is DHCP server on your AP/switch. That is not needed.

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220 gateway=192.168.1.2 \
    netmask=24
add address=192.168.52.0/24 dns-server=192.168.1.1 gateway=192.168.52.1

/ip pool
add name=pool1-default ranges=192.168.1.100-192.168.1.124
add name=pool3-guest-vlan52 ranges=192.168.52.100-192.168.52.150
add name=pool2-guest ranges=192.168.1.125-192.168.1.150

You need two VLANs, one is for your main network and one is for your guest network. And forget about using native VLAN. You need clean start, looking at your configuration you created quite a mess here.

RB5009 on default config, remove one port off bridge, assign it IP address, add it to the LAN interface list so you can connect to the router and use that port to configure everything.

Create 2 VLANs, one VLAN52 for your Guest network and one VLAN88 for EG or 99 or whatever for your main network, create DHCP servers for them, untagg them of 2 ports for testing. (Add trusted network to the LAN interface list so you can access your router). When you verify that everything is working then go to the next step, and that is removing everything that have some connection with default network, so removing DHCP server, pools, addresses etc. Untagg your ports to the desired VLAN, i presume trusted network and leave one port for trunk.

Then, and only then I would go to the next step, and that is configuring AP.

whattha · February 14, 2025, 3:24pm

WOW! What the hell?! I look incompetent as hell! On WinBox for the hAP ax2, I have completely removed the DHCP Server and the associated Pools, but on the Terminal Export, it’s still showing. Okay… I’m so glad you caught that because I’m thinking that the changes are being applied in WinBox, but obviously not. I am going to really scrub through the Terminal Export data on both devices and compare that output to what I know I have programmed in to WinBox.

I will setup another VLAN as my “default” and go away from the Default VLAN 1. Once I get this setup and everything cleaned up, I will post the updated configs back if the problem still persists.

Your help is very much appreciated.

whattha · February 16, 2025, 2:32am

Update…

Thank you gigabyte091 for the assistance thus far. I am still in the testing process for the changes that I have made, which was to first manually delete settings within the config files to see what kind of effect those specific config lines had on what was happening, then progressing from that point.

On the RB5009, I deleted the following from the config file…

/interface wifi cap
set enabled=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no radio-mac=00:00:00:00:00:00
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

On the hAP ax2, I deleted the following from the config file…

/ip pool
add name=pool1-default ranges=192.168.1.100-192.168.1.124
add name=pool3-guest-vlan52 ranges=192.168.52.100-192.168.52.150
add name=pool2-guest ranges=192.168.1.125-192.168.1.150
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220 gateway=192.168.1.2 \
netmask=24
add address=192.168.52.0/24 dns-server=192.168.1.1 gateway=192.168.52.1

Once both devices were rebooted, I was am able to connect to the Guest WLAN, get an IP Address, and Torch shows that traffic is tagged with VLAN 52. Both of the WLAN (primary and guest) are really slow to get connected to the WAN, which sometimes takes 5 minutes or more. Sometimes, the 2Ghz connection is constantly bouncing, but that is a completely different issue and not related to this.

What I find interesting is that I have the VLAN Filtering Disabled on the Bridge of BOTH devices. With 2 simple Firewall Rules, I essentially block the traffic from VLAN 52 from communicating with anything on the network, which works like a charm.

I am still going to Enable VLAN Filtering on the Bridge of both devices to see what happens and how that effects everything. I am surprised that it’s working without the Filtering being enabled.

I am not yet ready to mark this posting as SOLVED as of yet. I want to make 100% sure that everything is good first. I am still curious as to why it takes so long for the WLAN to get connected to the WAN (ping 1.1.1.1 or [name].com). I think that it may be because I haven’t yet enabled the Filtering on both devices, but we’ll see. My testing has been cut a little short because my wife is about to have a baby any time now.

Again… thank you so much gigabyte091 for your assistance up to this point. It is very much appreciated.

gigabyte091 · February 16, 2025, 6:43am

Did you create two VLANs ? For VLANs to be used you must enable VLAN filtering. Best thing is to enable it on RB5009, confirm that everything is working and then go on to the next step.

So what you should have is 2 VLANs and delete everything that includes default IP address, dhcp server, address-pool etc. VLAN1 should only run at the background.

Also congratulations on the baby Take your time and enjoy with your family

Here you go, here you can find my RB5009 configuration, so you can see how I set it up with VLANs etc. It’s not the whole configuration as I removed scripts and adlist config.

# 2025-02-16 07:32:41 by RouterOS 7.17rc3
# software id = 
#
# model = RB5009UPr+S+
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_GLAVNI
set [ find default-name=ether2 ] comment=WAN_LTE_BACKUP
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] comment=AP_MARTA
set [ find default-name=ether6 ] comment=AP_GL_SPS
set [ find default-name=ether7 ] comment=PC poe-out=off
set [ find default-name=ether8 ] comment=Trunk_SW_DB
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment="LTE backup" interface=bridge name=VLAN2_LTE vlan-id=2
add comment=Security interface=bridge name=VLAN20_SEC vlan-id=20
add comment=IoT interface=bridge name=VLAN30_IOT vlan-id=30
add comment=IPTV interface=bridge name=VLAN40_IPTV vlan-id=40
add comment="Glavna_mre\C5\BEa" interface=bridge name=VLAN88_MAIN vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=Management name=MGMT
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1

/ip pool
add comment=Security name=SECURITY_POOL ranges=10.10.20.2-10.10.20.254
add comment=IoT name=IOT_POOL ranges=10.10.30.2-10.10.30.254
add comment=IPTV name=IPTV_POOL ranges=10.10.40.2-10.10.40.254
add comment="Glavna_mre\C5\BEa" name=MAIN_POOL ranges=10.10.88.2-10.10.88.254
/ip dhcp-server
add address-pool=SECURITY_POOL interface=VLAN20_SEC lease-time=1d name=dhcp1
add address-pool=IOT_POOL interface=VLAN30_IOT lease-time=1d name=dhcp2
add address-pool=IPTV_POOL interface=VLAN40_IPTV lease-time=1d name=dhcp3
add address-pool=MAIN_POOL interface=VLAN88_MAIN lease-time=1d name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10
/interface bridge vlan
add bridge=bridge tagged=ether8,ether6,ether5,ether2 vlan-ids=2,20,30,40,88
/interface list member
add comment=LAN interface=bridge list=LAN
add comment=WAN interface=ether1 list=WAN
add comment=Management interface=VLAN88_MAIN list=MGMT
add comment="Glavna_mre\C5\BEa" interface=VLAN88_MAIN list=LAN
add comment=IPTV interface=VLAN40_IPTV list=LAN
add comment=IOT interface=VLAN30_IOT list=LAN
add comment=Security interface=VLAN20_SEC list=LAN
add comment="LTE backup" interface=VLAN2_LTE list=WAN
/ip address
add address=10.10.20.1/24 comment=Security interface=VLAN20_SEC network=\
    10.10.20.0
add address=10.10.30.1/24 comment=IoT interface=VLAN30_IOT network=10.10.30.0
add address=10.10.40.1/24 comment=IPTV interface=VLAN40_IPTV network=\
    10.10.40.0
add address=10.10.88.1/24 comment="Glavna_mre\C5\BEa" interface=VLAN88_MAIN \
    network=10.10.88.0
add address=----------- interface=ether1 network=-----------
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=10.10.20.1 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.40.1 gateway=10.10.40.1
add address=10.10.88.0/24 dns-server=10.10.88.1 gateway=10.10.88.1
/ip dns
set allow-remote-requests=yes cache-size=40960KiB servers=--------------
/ip dns adlist

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=\
    MGMT protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=DNS_UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS_TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add chain=forward comment=Internet in-interface-list=LAN out-interface-list=\
    WAN
add action=accept chain=forward comment=PORT_FWD connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" connection-nat-state=\
    dstnat connection-state="" in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=----------- \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=
/system note
set show-at-login=no
/system package update
set channel=testing
/system ups
add name=ups1 port=usbhid1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no
/tool netwatch
/tool romon
set enabled=yes

whattha · February 21, 2025, 11:23pm

Thank you very much gigabyte091 for the sample config! That is actually a HUGE help. I can look through it and see what is going on.

I have not yet been able to fully look trough it and compare it what what I have setup.

I had essentially just deleted the extra config lines that were supposed to be removed by WinBox, rebooted, then checked connectivity and everything was working. Using Torch, I could see the traffic from the Guest WLAN as tagged and verified the traffic was isolated via PING. This was with the VLAN Filtering OFF on BOTH devices. When I set it to ON, the Guest WLAN stopped working.

I did not setup a separate VLAN for non-Guest traffic, but I am gong to do that and finish out the config using your sample config as a base.

I will post an update once I get everything configured and tested.

whattha · May 5, 2025, 3:32pm

I purchased another RB5009UGSIN and hAP ax2 to completely lab this out.

Before starting, I updated the RouterOS and Firmware to the most current version (7.18.2 (stable)).

On the RB5009UGSIN, I setup all of the VLANs (local, guest, management) as Interfaces and on the Bridge, assigned IP Addresses to everything, setup DHCP on the local and guest, added the trunk link to the hAP ax2 as a tagged port and everything else as access ports.

On the hAP ax2, I setup the WiFi networks (primary, guest), setup all of the same VLANs as Interfaces and on the Bridge, assigned IP Addresses to everything, then added the trunk port to the RB5009UGSIN as tagged and everything else as access ports.

With this setup, everything worked UNTIL I enabled the VLAN Filtering on the Bridge of the hAP ax2 (RB5009UGSIN already enabled). Without the VLAN Filtering enabled on the hAP ax2, all of the traffic was tagged with the correct VLAN (verified by Torch) on the hAP ax2 and the RB5009UGSIN. I was able to get an IP Address from the DHCP Server immediately and get online immediately, but the moment I enabled VLAN Filtering on the hAP ax2, I was not able to connect or get an IP Address from the DHCP on Server on the RB5009UGSIN.

Looking at the Block Diagram for the hAP ax2, the two WiFi Interfaces are not connected to the switch chip, but are connected directly to the CPU. In my configuration, the WiFi Interfaces were setup as UNTAGGED in the VLAN configuration because they are for Access and not a Trunk. As soon as I moved the WiFi Interfaces to the TAGGED portion of the VLAN configuration, everything worked perfectly with VLAN Filtering enabled.

So… Ultimately… with VLAN Filtering enabled on the hAP ax2 (used as an access point), the WiFI needs to be setup as TAGGED traffic in the VLAN configuration in order for any device connected via any WiFi (primary or guest) to get an IP Address from the DHCP Servers on the RB5009UGSIN (router) and gain access to the Internet.

Many thanks to gigabyte091 for all of the assistance and for getting my mind working in a different direction on this issue. I truly appreciate your patience and help.