My home network consists of a single hAP ax³ v.7.10.2, in addition to my ISP supplied modem. All of my devices are currently wireless, including: laptop, phone, tablet, Raspberry Pi 4, and five IP cameras.
I would like to isolate my devices on two network segments. One for my laptop, phone and tablet (10.0.10.0/24), and a separate network for all the IoT stuff (10.0.30.0/24). Additionally, I would like to provide a wireless guest network (10.0.20.0/24). I am planning to setup WireGuard VPN for remote access to Home Assistant running on the Pi, and possibly a management VLAN.
In an attempt to get something simple working, I first tried configuring my main “trusted” network, and the guest network. The attached no-isolation.rsc is an export of a RouterOS configuration where I was able to set up two SSID’s (mjau (“trusted”) and mjau-guest), using the same SSID for both 2.4Ghz and 5Ghz. I am able to connect to - and have access to the Internet from - either network. Unfortunately, the network segments are not isolated (I am able to ping my phone connected to the mjau-guest network from my laptop connected to the mjau network). I could maybe rely solely on firewall rules to block traffic between the segments, but I want Layer 2 isolation - if possible.
I am currently stuck on vlan-attempt.rsc. It’s basically no-isolation.rsc + an attempt to use bridge VLAN to isolate the guest network. I am unable to connect to the guest network with this configuration. This is what the log says after I try to connect with my phone (phone tries for a while, then gives up):
23:07:03 wireless,info 56:66:14:79:F7:67@wifi-2Ghz[guest] connected, signal strength -32
23:07:22 wireless,info 56:66:14:79:F7:67@wifi-2Ghz[guest] disconnected, connection lost, signal strength -30
23:07:56 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] connected, signal strength -43
23:08:14 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] disconnected, connection lost, signal strength -43
23:08:16 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] connected, signal strength -41
23:08:34 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] disconnected, connection lost, signal strength -41
23:08:35 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] connected, signal strength -42
23:08:53 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] disconnected, connection lost, signal strength -43
23:08:54 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] connected, signal strength -36
23:09:12 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] disconnected, connection lost, signal strength -38
23:09:14 wireless,info 3A:6A:BE:B2:7D:35@wifi-5Ghz[guest] connected, signal strength -35
What am I missing? (As a struggling noob, probably something basic 
)
no-isolation.rsc (3.34 KB)
vlan-attempt.rsc (3.58 KB)