I’m trying to configure 4 GrooveA-52HPn’s such that I have a meshed network with multiple SSIDs, and the traffic on each SSID is isolated from each other.
My basic requirements are that one SSID is open, one SSID is running WPA-PSK, and that I have a DHCP pool, with some clients have static addresses (MAC assigned), and a free pool, and that the traffic on each SSID is isolated from the others. A client that requires a static IP address may connect on either SSID (but the static IP doesn’t need to be the same between VLANs). Currently I don’t need internet access, but ideally I’ like to leave the option open for adding it to one of the VLANs later on, via a MiFi-type device or Ethernet. The DHCP server only runs on one of the Grooves.
So I’ve successfully created the meshed network, created the two VLANs, created the DHCP server, assigned the static addresses, and have a free pool. What I cannot seem to do is isolate the traffic. Right now all the IP addresses come from the same server, regardless of the SSID they connect on, and devices on the open SSID are visible on the secure SSID.
I experimented with creating an additional DHCP server to serve another subnet block, but RouterOS unhelpfully displayed an ‘X’ on the new instances, but that didn’t WHY it didn’t work. Since I know I can’t duplicate MAC addresses in the DHCP table, I thought I could figure out a way that one SSID would draw from one DHCP server, and the other SSID from the other.
I normally never deal with creating firewall rules and such, and don’t have a good grasp on the finer (or coarser…) details of firewalling, so advice like “Just create a blocking rule” or something like that won’t help me much 
So what concept or idea am I missing in trying to make this work? Normally I can Google my way through this kind of thing, but so much of the information is out of date, and RouterOS seems to have evolved quite a bit from when some of these examples were written.