"Dumb AP" Multi SSID configuration with multiple VLANS: cannot set channel settings

Hi everybody!

I just bought a nice hAP ax S to replace my aging Unifi AC AP PRO. So far, just connecting and leaving it with the default configuration i can reach speeds really close to gbit, so i am quite happy and looking forward to configuring it properly.

However, my idea was to turn it into a “dumb” ap+switch, creating a VLAN interface to take a management IP from a OOB router (VLAN 31), and then bridging all the ports so i can have a “free” managed 5-port switch on the wall.

This is my current configuration (i am connected through ether2 for now):

# 2026-02-06 10:43:24 by RouterOS 7.21.2
# software id = JTZ1-S7JV
#
# model = E62iUGS-2axD5axT
/interface bridge
add admin-mac=04:F4:1C:CD:9A:3F auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e_wan
/interface vlan
add interface=bridge name=vlan_mgmt vlan-id=31
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=datapath_iot vlan-id=93
add bridge=bridge disabled=no name=datapath_def vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_iot
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_def
/interface wifi configuration
add country=Italy datapath=datapath_iot disabled=no name=cfg_iot security=sec_iot ssid="internet of trash"
add datapath=datapath_def disabled=no name=cfg_def security=sec_def ssid="home sweet home"
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=*2
add bridge=bridge comment=defconf interface=*3
add bridge=bridge interface=e_wan
/interface bridge vlan
add bridge=bridge tagged=bridge,e_wan vlan-ids=31
add bridge=bridge tagged=bridge,e_wan vlan-ids=93
add bridge=bridge tagged=bridge,e_wan vlan-ids=70
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_def slave-configurations=cfg_iot
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

[missing firewall and other unrelated configs]

And it works! However, every client is stubbornly using 2.4ghz only, and checking the wireless spectrum i can see that my access point is being a very bad neighbor and using too much spectrum:

image474×896 104 KB

For this reason, i wanted to add some limiting settings to the AP. I created two rules:

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2437,2412,2462 name=channel1 width=20mhz
add band=5ghz-ax disabled=no frequency=5490-5730 name=channel2 width=20/40/80+80mhz

And added them to the networks:

/interface wifi configuration
add country=Italy datapath=datapath_iot disabled=no name=cfg_iot security=sec_iot ssid="internet of trash" channel=channel1
add datapath=datapath_def disabled=no name=cfg_def security=sec_def ssid="home sweet home" channel=channel2

However, with these settings after provisioning the network i get “no channels available” on the wireless interfaces.

My goal is to have the main network on both 2.4 and 5.0 ghz (with steering), and the IoT network on 2.4ghz only.

I’ve tried every combination of channel and provisioning rules, and so far i was able to make it work once, but only for one single band and ssid. Adding anything else to the rules made it break. I am actually not 100% sure going to “radio” and selecting “provision” manually via webfig is the best idea (as some settings seem to be randomly flattened in some cases).

Additionally, i cannot seem to be able to make te AP accept RAs from the router, so it can get an IPv6 using slaac and i can manage it through v6.

What am i doing wrong?

Thanks

Your plans sound fine.

"Provisioning" in the Mikrotik world means using CAPsMAN, a central controller, for provisioning your wifi interfaces. If you have a single AP then this is not the correct path for you.

If you simply open the wifi interface's configuration, you'll find everything you wanted to set in separate tabs. It is possible to set them here manually, or they can be set to inherit settings from a specific configuration, channel, datapath, etc. I suggest that you configure manually.

If you want a second ssid, you just create a "virtual wifi interface", with its master being the actual radio. You can set this up the same way as your original interfaces. It can have different data path, security, etc. settings, but it doesn't have its own channel selection, for obvious reasons.

Selecting 2 or 5 GHz is ultimately the prerogative of the clients. There are a couple of things you can do: enable FT (roaming/fast bss transition) and/or set the setting for 2g beacon delay (this helps with stubborn clients.) Sometimes people also lower the power of the 2GHz channel. Again, ultimately this is a choice the client makes, so there are no final fixes, but these do help.

The other things you have trouble with all deserve a similarly long post, so I'll leave them to others.

The ax S is a fairly new device. If you can spare the time, could you post some of your speed measurements, aling with the client devices? I'm sure quite a few people would find it useful. (Also include the routeros version.)

In webfig there is no way to create a “virtual” wireless device, so you have to create a datapath + configuration + frequency + security settings, and then apply it with a provisioning rule to make RouterOS create the virtual devices automatically.

However, while in theory it sounds solid it feels flimsy once you start using it, since in the provisioning rule you have master + slave “configurations”, and if you put both as slaves you’ll have unused additional virtual devices, while semantically there is no master/slave.

Enabling FT anywhere makes network connections instantly stop working, i assume bad configuration on my side.

In the meanwhile, however, i’ve upgraded to 7.22beta6 since it looks like plenty of fixed were released.

This screenshot is admittedly from a not-that-recent version, but do you not have this "New" button?

image376×277 13 KB

Yes, but when i press “new” it just creates a new interface, with no way to tell if it’s virtual or something else.

It's always virtual. You can clearly see this because it has a "master" setting.

Maybe it's my fault. On older versions of the wireless driver (which is not applicable to your device), it used to be called "virtual." Well, it seems it's not anymore. It's sort of pointless, because you can't really create physical interfaces, like you can't download RAM

Anyway, this is the feature you should use.

In case of need :
https://downloadmoreram.com/

If you don't trust a random site on the internet, there is an opensource version here (CLI): GitHub - daniel071/ramDownloader: An easy way to download more RAM. Fast, Free, Easy.

Is it normal than when creating a virtual Wifi i get no country setting? And additionally, even though it says “not invalid” nothing seems to happen.

Yep. Only the master interface has control of the physical radio, so some settings like country (which restricts frequency choice, transmit power, applies dfs settings), frequency and channel width are not applicable to virtual interfaces. The master's configuration is used instead.

If you create such an interface, have mode set to ap, and you specify an ssid, then that should be visible in scanners.

If you want network access, you should assign this new interface as a bridge port, similar to the master interface. This allows you to have the new ssid be part of a different network than the master.

Mmm...you are pretty close...this will help:

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_iot
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_def

/interface wifi configuration
add country=Italy datapath=datapath_iot disabled=no name=cfg_iot security=sec_iot ssid="internet of trash" mode=ap
add country=Italy datapath=datapath_def disabled=no name=cfg_def security=sec_def ssid="home sweet home" mode=ap

/interface wifi
set [ find default-name=wifi1 ] configuration=cfg_def disabled=no
set [ find default-name=wifi2 ] configuration=cfg_def disabled=no

add master-interface=wifi1 name=wifi3 configuration=cfg_iot disabled=no 
add master-interface=wifi2 name=wifi4 configuration=cfg_iot disabled=no

/interface bridge port
add bridge=bridge comment=wifi1 interface=wifi1 pvid=70
add bridge=bridge comment=wifi2 interface=wifi1 pvid=70
add bridge=bridge comment=wifi3 interface=wifi1 pvid=93
add bridge=bridge comment=wifi14interface=wifi1 pvid=93

With this basis config you should be able to get it to work.

Once you get this to work, you can do the tweaking on things like channels.

Alright, this is the current configuration:

[admin@FoxoNET-AP] > export 
# 2026-02-06 16:48:15 by RouterOS 7.22beta6
# software id = JTZ1-S7JV
#
# model = E62iUGS-2axD5axT
/interface bridge
add admin-mac=04:F4:1C:CD:9A:3F auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e_wan
/interface vlan
add interface=bridge name=vlan_mgmt vlan-id=31
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=datapath_iot vlan-id=93
add bridge=bridge disabled=no name=datapath_def vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_iot
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_def
/interface wifi configuration
add datapath=datapath_iot disabled=no mode=ap name=cfg_iot security=sec_iot ssid="x"
add datapath=datapath_def disabled=no mode=ap name=cfg_def security=sec_def ssid="y"
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg_def disabled=no
# DFS channel availability check (1 min)
set [ find default-name=wifi2 ] configuration=cfg_def disabled=no
add configuration=cfg_iot disabled=no mac-address=06:F4:1C:CD:9A:44 master-interface=wifi1 name=wifi3
add configuration=cfg_iot disabled=no mac-address=06:F4:1C:CD:9A:45 master-interface=wifi2 name=wifi4
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 pvid=70
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=*2
add bridge=bridge comment=defconf interface=*3
add bridge=bridge interface=e_wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,e_wan vlan-ids=31
add bridge=bridge tagged=bridge,e_wan vlan-ids=93
add bridge=bridge tagged=bridge,e_wan untagged=ether3 vlan-ids=70
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=e_wan list=WAN
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_def slave-configurations=cfg_iot
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add default-route-tables=main interface=vlan_mgmt name=vlan_mgmt

Both networks are running, and all clients are, as expected - on 2.4ghz. I did not add the bridge rules you sent me because looks like they get dinamically tagged automatically due to vlan_id on the datapath.

So, what’s the next step in configuring the channels? As i am right in the middle of three airports, DFS is gonna be horrible, so i’d move elsewhere. And, i’d use 20mhz only on 2.4ghz since i’m much more interested in range than speed.

You can simply set the frequency for the master interfaces. Any parameter that you specify directly for the interface overrides the ones inherited from the configuration.

You should specify your country correctly. To view the allowed frequencies/powers/dfs for your country, you can use the following terminal command:

/interface/wifi/radio/reg-info 0 country="Iceland"