Guest WiFi without VLANs after migrating to wifi-qcom

RouterOS General
1

Hi everyone,

Could someone kindly assist me with a simple guest WiFi configuration that stopped working after migrating from the wireless package to wifi-qcom?

The setup includes an RB5009 router and three cAP access points managed via Capsman. After the migration, wireless functionality significantly improved (e.g., band steering, roaming, and bandwidth efficiency). However, the isolated guest WiFi network has stopped working.

The configuration is straightforward and doesn’t use VLANs: slave virtual WiFi interfaces share a dedicated bridge with client isolation enabled. The guest network has a separate IP range, its own DHCP server, and a dedicated set of firewall rules. This setup worked flawlessly prior to the migration. While it’s possible the new wifi-qcom package is incompatible with such attempt, I suspect I may have inadvertently disrupted the overall configuration while implementing the changes.

Here’s the current status:

  • Guest WiFi clients connect successfully and are authorized.
  • However, there’s no DHCP negotiation, leaving clients unable to obtain IP addresses.
    router.rsc (21.3 KB)
    ap.rsc (3.03 KB)
    I’d appreciate it if you could review the attached configuration and provide guidance on what might be wrong. I’ve also come across suggestions to implement guest networks using VLANs. While I see their advantages, there are a few concerns:
  • Capsman compatibility is limited—(at least AC devices) require manual VLAN configuration on each access point.
  • I’m worried about losing access to the router or access points during VLAN experiments if something goes wrong.
"client was disconnected because could not assign vlan" | wifi-qcom-ac + CAPSMAN + VLANs
2

With wifi capsman, on the contrary to the wireless one, use of VLANs to separate the wireless networks from one another is actually not a matter of choice but the only possible way. The wifi capsman only supports what is called local forwarding in the wireless capsman vernacular, i.e. you cannot create virtual wireless interfaces on the 5009 that represent the remote ones on the CAPs and make them member ports of a dedicated local bridge on the 5009 any more.

As you have noticed, with ac devices, you cannot set the VLAN ID on the datapath; instead, you have to make each wireless interface an access port to the required VLAN on the VLAN-aware bridge manually, locally on each CAP. This would be a nightmare in installations with ten or more CAPs, but it is doable in a home setup with just 3 CAPs.

To avoid losing access in case of VLAN misconfiguration, configure /tool/romon first, as it ignores VLAN settings so you can connect using romon even if the vlan or bridge settings are wrong. The configuration is as easy as enabling it on all 4 devices and setting the same secrets value on all of them.

3

Thank you for a clear and detailed answer, Sindy. I will educate myself on VLAN theory first and follow the suggested path (having secured myself beforehand through RoMON).