Configure AX3 as AP with WIFI per VLAN

I’m trying to use the Router HAP AX3 as an AP to forward VLAN’s with already working DHCP to separate WIFI’s. Traffic inbetween the networks will be made on the opnsense firewall.
Trunk port from managed switch with 3 VLANs is connected to ether1 (the 2.5Gbit Port).
VLANs are working, testet with a Notebook over Cable, Problem needs to be on the Mikrotik.

ether2 has an ip, to not lock me out, can remove that in the end.

After hours of trying I’m now ready for a forum post.

Problem:
cannot get an IP when connecting to wifi1(LAN) and wifi2(IoT)
but wifi3 (Guest) ist working perfectly fine.

Also I don’t know if those dhcp relays are even necessary.

Here is my config (RouterOS 7.15.3):

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=main-bridge vlan-filtering=\
    yes
/interface vlan
add interface=main-bridge name=vlan10-LAN vlan-id=10
add interface=main-bridge name=vlan20-IoT vlan-id=20
add interface=main-bridge name=vlan30-Guest vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=2300-7000 name="5GHz AX" width=\
    20/40/80mhz
add band=2ghz-ax disabled=no frequency=2300-7000 name="2.4GHz AX" width=\
    20/40mhz
/interface wifi datapath
add bridge=main-bridge disabled=no name=Guest vlan-id=30
add bridge=main-bridge disabled=no name=LAN vlan-id=10
add bridge=main-bridge disabled=no name=IoT vlan-id=20
/interface wifi security
add authentication-types=wpa3-psk disabled=no name=LAN
add authentication-types=wpa3-psk disabled=no name=Guest
add authentication-types=wpa3-psk disabled=no name=IoT
/interface wifi configuration
add country=Wonderland datapath=LAN disabled=no name=LAN qos-classifier=\
    priority security=LAN
add country=Wonderland datapath=Guest disabled=no name=Guest security=Guest
add country=Wonderland datapath=IoT disabled=no name=IoT security=IoT
/interface wifi
set [ find default-name=wifi1 ] channel="5GHz AX" channel.band=5ghz-ax \
    .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration=LAN \
    configuration.mode=ap .ssid=LAN datapath=LAN disabled=no security=LAN \
    security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel="2.4GHz AX" channel.band=2ghz-ax \
    .skip-dfs-channels=10min-cac .width=20/40mhz configuration=IoT \
    configuration.mode=ap .ssid=IoT datapath=IoT disabled=no security=IoT \
    security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes
add configuration=Guest configuration.mode=ap .ssid=Guest datapath=Guest \
    disabled=no mac-address=7A:9A:18:3A:7A:5D master-interface=wifi1 name=\
    wifi3 security=Guest security.authentication-types=wpa3-psk .ft=yes \
    .ft-over-ds=yes
/disk settings
set auto-media-interface=*9 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=main-bridge interface=ether2
add bridge=main-bridge interface=ether3
add bridge=main-bridge interface=ether4
add bridge=main-bridge interface=ether5
add bridge=main-bridge comment=rgr interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=main-bridge interface=wifi1 pvid=10
add bridge=main-bridge interface=wifi2 pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=main-bridge tagged=ether1,main-bridge untagged=wifi1 vlan-ids=10
add bridge=main-bridge tagged=ether1,main-bridge untagged=wifi2 vlan-ids=20
add bridge=main-bridge tagged=ether1,main-bridge untagged=wifi3 vlan-ids=30
/interface list member
add comment=defconf interface=ether1 list=LAN
/ip address
add address=192.168.10.2/24 comment=LAN-IP interface=vlan10-LAN network=\
    192.168.10.0
add address=192.168.10.20/24 comment=antilockout interface=ether2 network=\
    192.168.10.0
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=vlan10-LAN local-address=\
    192.168.10.2 name=relay-lan
add dhcp-server=192.168.20.1 disabled=no interface=vlan20-IoT local-address=\
    192.168.20.2 name=relay-iot
add dhcp-server=172.16.30.1 disabled=no interface=vlan30-Guest local-address=\
    172.16.30.2 name=relay-guest
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.2 name=hermes.lan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
/system identity
set name=Hermes
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks already for any help.

Now one able to see what’s causing the problem?

You don’t need:

/interface vlan
add interface=main-bridge name=vlan10-LAN vlan-id=10
add interface=main-bridge name=vlan20-IoT vlan-id=20
add interface=main-bridge name=vlan30-Guest vlan-id=30



/interface bridge port
add bridge=main-bridge interface=ether2
add bridge=main-bridge interface=ether3
add bridge=main-bridge interface=ether4
add bridge=main-bridge interface=ether5
add bridge=main-bridge comment=rgr interface=ether1 internal-path-cost=10
path-cost=10
add bridge=main-bridge interface=wifi1 pvid=10
add bridge=main-bridge interface=wifi2 pvid=20

This is done dynamically by datapath

/interface bridge vlan
add bridge=main-bridge tagged=ether1,main-bridge > untagged=wifi1 > vlan-ids=10
add bridge=main-bridge tagged=ether1,main-bridge > untagged=wifi2 > vlan-ids=20
add bridge=main-bridge tagged=ether1,main-bridge > untagged=wifi3 > vlan-ids=30

This also done dynamically by datapath

/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=vlan10-LAN local-address=
192.168.10.2 name=relay-lan
add dhcp-server=192.168.20.1 disabled=no interface=vlan20-IoT local-address=
192.168.20.2 name=relay-iot
add dhcp-server=172.16.30.1 disabled=no interface=vlan30-Guest local-address=
172.16.30.2 name=relay-guest

This shouldn’t be needed at all…

I also wonder what IoT devices are compatible with WPA3…

But beside that, I didn’t notice anything particularly wrong.. You should check your DHCP server…

If the AX3 is simply an AP, from an upstream router then it should be a relatively easy setup.
Assuming wifi settings are good … will focus on mechanics of the rest.

First, you need to identify the managment or Trusted vlan, from which the AX3 SHould get its IP address from.
Only the trusted vlan need be tagged to the bridge as the rest of the vlans are simply flowing in one trunk and getting sent out other ports or WLAN ports.
In your case it would appear vlan10 is that vlan so will use that…

There is no such thing as WAN and LAN here, as its an AP, not a router!!!
Not sure why you have wifi datapath… not required!!
I would remove all that noise which is related to capsman which is not being used.

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=main-bridge vlan-filtering=
yes
/interface ethernet
set [ find default-name=ethe5 ] name=OffBridge5
/interface vlan
add interface=main-bridge name=vlan10-LAN vlan-id=10
add interface=main-bridge name=vlan20-IoT vlan-id=20
add interface=main-bridge name=vlan30-Guest vlan-id=30
/interface list
add name=TRUSTED
/interface wifi channel
add band=5ghz-ax disabled=no frequency=2300-7000 name=“5GHz AX” width=
20/40/80mhz
add band=2ghz-ax disabled=no frequency=2300-7000 name=“2.4GHz AX” width=
20/40mh
/interface wifi security
add authentication-types=wpa3-psk disabled=no name=LAN
add authentication-types=wpa3-psk disabled=no name=Guest
add authentication-types=wpa3-psk disabled=no name=Io
/interface wifi
set [ find default-name=wifi1 ] channel=“5GHz AX” channel.band=5ghz-ax
.skip-dfs-channels=10min-cac .width=20/40/80mhz configuration=LAN
configuration.mode=ap .ssid=LAN disabled=no security=LAN
security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel=“2.4GHz AX” channel.band=2ghz-ax
.skip-dfs-channels=10min-cac .width=20/40mhz configuration=IoT
configuration.mode=ap .ssid=IoT disabled=no security=IoT
security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes
add configuration=Guest configuration.mode=ap .ssid=Guest
disabled=no mac-address=7A:9A:18:3A:7A:5D master-interface=wifi1 name=
wifi3 security=Guest security.authentication-types=wpa3-psk .ft=yes
.ft-over-ds=yes
/interface bridge port
add bridge=main-bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether2 pvid=10
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether3 pvid=10
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ethe4 pvid=10
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi1 pvid=10
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi2 pvid=20
add bridge=main-bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi3 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=main-bridge tagged=main-bridge,ether1, untagged=ether2,ether3,ether4,wifi1 vlan-ids=10
add bridge=main-bridge tagged=ether1 untagged=wifi2 vlan-ids=20
add bridge=main-bridge tagged=ether1 untagged=wifi3 vlan-ids=30
/interface list member
add interface=vlan10-LAN list=TRUSTED
add interface=OffBridge5 list=TRUSTED
/ip address
add address=192.168.10.2/24 comment=LAN-IP interface=vlan10-LAN network=
192.168.10.0
add address=192.168.77.1/30 comment=“Off bridge access” network=192.168.77.
/ip dns
server=192.168.10.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1
/ipv6 settings
disabled=yes
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Assuming port 5 is not used, its been taken off the bridge given an IP address.
Easy to configure the router if any vlan issues by plugging your laptop into port 5 and change IPV4 settings on laptop to 192.167.77.2 and you are in.

Thanks for the helpful replies.

@anav your advice was very helping. With getting rid of datapaths and working with Interface List made it working.
I’m new to mikrotik, now I learned a bit more about configuring. Thanks a lot!

Hi all,
I’m in a very similar situation with the same device (AX3).
I followed the @anav post and I’m arrived in a condition where I can ping all my VLANs from AX3 to my router, but the DHCP is not working on any device connected to any wifi created.

Any idea? Maybe something to check on firewall/nat side?

I’m a Mikrotik noob, be patient…