ELI5 VLAN help

I don’t know VLANs.

I read PCunite’s tutorial 20x, I’ve watched 19 videos, read 18 articles, reviewed 17 threads here, 16 threads elsewhere, and tried 15 times on my own, and given up 14 times already.

Please don’t tell me to study or work harder. If I could have, I would have.

I set up a wAPax I had sitting around, connected its ether2 to my LAN, and got it up and running.

My goal is to get past my major blockage towards understanding and being able to work with VLANs.

My idea here is to set up the wAP so that all wifi connections to the wifi slave interface under wifi2 (5ghz) named “wifiguest-VLAN10” will be on their own VLAN (10) and have no access to anything on the LAN (which is otherwise accessible on ether2). But, wifi connected stations will have connectivity to the Internet (which is the main router at 192.168.2.2).

Here is what I have so far. I know it’s a mess. What would very much help is the most basic configuration to make it work using VLANs. That is, too much and my confusion will cause my brain (CPU) to reject (drop) all.

# 2025-02-18 20:51:23 by RouterOS 7.17.2
# software id = 4R3U-1R3M
#
# model = wAPG-5HaxD2HaxD
# serial number = HH80xxxxxx
/interface bridge
add admin-mac=F4:1E:57:69:AD:13 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-69AD14 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-69AD14 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add comment=wifiguest-VLAN10 configuration.mode=ap .ssid=wifiguest-VLAN10 \
    disabled=no mac-address=F6:1E:57:69:AD:14 master-interface=wifi2 name=\
    wifiguest-VLAN10 security.authentication-types=wpa2-psk
/interface vlan
add interface=wifiguest-VLAN10 name=VLAN10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=default-dhcp ranges=10.10.10.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment=wifiguest-VLAN10 frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifiguest-VLAN10 pvid=\
    10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=wifiguest-VLAN10 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:01:B6:23:41:05 name=ovpn-server1
/ip address
add address=192.168.2.88/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.10.1/24 interface=wifiguest-VLAN10 network=10.10.10.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp interface=VLAN10 name=defconf
/ip dhcp-server alert
add disabled=no interface=bridge
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=10.10.10.1 gateway=\
    10.10.10.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall filter
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN"
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN"
/system clock
set time-zone-name=America/New_York
/system identity
set name=WapAX
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time-a-g.nist.gov
add address=time-a-b.nist.gov
add address=time-a-wwv.nist.gov
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Well you have to decide major questions before wasting time on a config.
Is the Access point being used solely as an access point/switch ( as it should ) or are you wanting a second router, a wifi router behind your primary router, double nat so to speak.

If a simple switch/access point then only one vlan is identified on the device, the trusted or management vlan and that is where the MT device gets its IP address from.
If the trusted vlan also goes to a port or WLAN, thats fine, often it does not but in any case is the only vlan that is tagged to the bridge at /interface bridge vlan.

I understand you should have two vlans, the one from the main subnet on the router, and a guest wifi…

Great analysis.

I am tempted to choose using the wAP solely as an AP (in the interest if simplicity). As much as I want to be able to understand and set up devices as combination router and AP, I think it is wise to start with this as only an AP.

That is as far as my understanding goes however.

Can I have only one VLAN for wifi-connected users on the wAP? Or does that violate a basic VLAN rule?

That is, can I assign the guestwifi users to VLAN10 without the LAN connected to the wAP’s ether2 also employing VLANs?

Or, can the guest wifiusers be on VLAN10, wifi1 and wifi2 users be on VLAN 99 along with all frames coming in on ether2?

I dont understand your questions, they are nonsensical LOL.

Lets be clear,
you have a trunk port coming from the main router, this can carry as many vlans as you desire.
only the trusted or managment vlan is identified on the device, the rest are simply carried in on the trunk and distributed to either lan ports, if they exist or to WLANs if they exist.
as for as wlans go, makes as many as you need but personally would never go beyond 3x2ghz wlans and 3x5ghz wlans ( two of each being common ).
you decide which vlan is associated with which wlan etc…

I am unable to have this discussion. Everytime I think I am being clear, it turns out I am not.

I cannot speak in technical terms, despite having an understanding of trunk ports, access ports, etc.

There are no VLANs in my current environment.

The wAP’s ether2 interface/port is connected to a port on a local CSS326.

My idea is to use VLANs exclusively on the wAP to achieve the goal of keeping users connecting via a single SSID separated from my LAN but still able to access the internet (through the CSS326 which connects to the RB5009 at 192.168.2.2)

Yup nothing untoward or fancy there.
But what is the source of the DHCP for all these vlans??
So far you have a router (hopefully) feeding the MT switch CSS326 with a bunch of vlans.
Then on one port of the 326, there is a port to the MT ap/switch.
This is the trunk port carrying the trusted or managment vlan and any needed other vlans for your purposes.

You are in charge here, so at main router make the vlans you need.
Send them on a trunk port to the 326, then send them on a trunk port to the MT ap/switch.
same like the ap/switch the 326 should only need one vlan identified, the trusted or management vlan, the rest come from the router on the trunk port and get distributed via the single bridge to all the other ports as required.

If it helps just think of vlans as independent tunnels of traffic travelling in a single port. They dont see each other but are sharing the road in their own bubble.

It sounds like I cannot make this happen without enabling or utilizing VLANs on my main network.

Given that the main network is mission critical (mission being keeping the family from complaining), I cannot start messing with it by adding VLANs.

Pssst dont tell anybody, but the trick is to wait for them to go to sleep!!
By the way that is why I always config the router in such circumstances from an off bridge port, much safer and a time saver in the long run.

Personally, dont know how anybody survives without vlans…

I just watched this (again, for the 5th time):

https://www.youtube.com/watch?v=4Z32oOPqCqc

Still no help.

Just does not explain why some ports are tagged and untagged at the same time, and creation of software vlans, and so many many more completely confusing items.

I know you all don’t know me, but I promise I do not have a learning difficulty.

It is growing more and more clear to me that despite the billions of hours that wonderful-intentioned people have poured into videos, tutorials, written explanations, and threads on this board and others, there are huge holes in the explanation and teaching of VLANS.

For the switch I also like this video…
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=16s

Its simple
A port leading to a dumb device has to be untagged for the vlan ( subnet heading to that device). access port
A port leading to a smart device can carry one or more tagged vlans ( the device can read vlan tags). trunk port

MORE RARE
A port leads to a device that expects the management vlan untagged and any data vlans tagged. hybrid port.

What you will notice that any single port can ONLY handle one untagged vlan.

Let’s see if I understand, and where further clarification is necessary. Here is an example:

Port 3 on a CSS326 is connected via twisted pair (i.e., ethernet cable) to a nic on Windows 11 PC (dumb device).

Therefore, port 3 “has to be untagged for the vlan.” So what does that mean?

In this video:

https://www.youtube.com/watch?v=4Z32oOPqCqc

At ~34 minutes, the narrator adds certain ports to VLAN10 as tagged and other ports to VLAN10 as untagged.

So what does “has to be untagged for the vlan” mean? What is the context? What does this mean in the context of setting up:

INTERFACE | BRIDGE | VLAN and adding some tagged and some untagged ports?

A port leading to a smart device can carry one or more tagged vlans ( the device can read vlan tags). trunk port

For example:

Port 4 on the same CSS326 is connected by wire to port 2 on a wAP (smart device). So we say it is carrying VLAN20 and VLAN30 taffic. And, therefore it is a trunk port?

How does this vague and limited description translate into configurations?

What you will notice that any single port can ONLY handle one untagged vlan.

I did not notice this, but now I know. Unfortunately, I still don’t know what it means to “only handle one untagged vlan.”

Do you see how these explanation (I’m certainly not singling you out – but rather the entire body of VLAN instruction) are incredibly insufficient?

I told you, you just have to listen.
Can a pc read tags, NO, so we have to untag the traffic leaving the port that is connected to the PC.

If the commentator says the ports have to be untagged it means the ports lead to dumb devices, PCs, switches, etc…

Yes if port 4 is going to a smart device, can read vlan tags then you as the admin decide what vlans the wap needs.
lets say you have 4 WLANS, a home wlan for 2ghz a home wlan for 5 ghz, a 2ghz wlan for iot devices, and a 5ghz wlan for guest wifi
Thus you have 4 WLANs, and three subnets to consider aka 3 vlans, home, iot and guest.

Think of WLAN as a wifi port aka a port.

So on trunk port to this device you would have 3 vlans and possibly 4 if use a management vlan separately to monitor/config all smart devices.

look me up on discord anav_ds and we can explain better more directly, and fire up your anydesk or teamviewer and we can go over devices live.

You are indeed very generous.

I am on the discord now, but I don’t have much experience with it.

I see there is General – is that a form of group within the Mikrotik group/forum?

But… that’s not quite right…