HAP Ax, RB260 GSP, WAP Ax & VLANs

Hi,

I’m having issues that I don’t understand with VLAN setup. The sketch below shows my architecture, and the VLAN setup as it is so far.

image1114×837 15.7 KB

Switch 1 Bridge VLAN setup:

image736×521 17.6 KB

image790×320 23.5 KB

image774×532 20.6 KB

Switch 3 VLAN Setup:

image863×323 14.7 KB

image711×317 10.7 KB

(Port 2 VLAN Receive set to any as I can’t turn VLAN filtering on on the WAP at the moment).

WAP 2 Setup:

image737×352 12.2 KB

(VLAN filtering off for now as I lose connection instantly)

image778×553 20.9 KB

image810×243 15.5 KB

(For some reason this is not showing the port assignments, but see final image below)

image753×474 16.1 KB

I have two issues at the moment:

1. If I have ether3 on Switch 1 set to ‘admit only VLAN tagged’, then after about ten minutes ping from the laptop to Switch 3 fails, but ping to WAP 2 is still ok. It never recovers, unless I set ether3 to ‘admit all’ again.

2. If I turn on VLAN filtering on the bridge of WAP 2 I lose connection to the WAP.

I am clearly missing something, can anyone guide me please?

Instead of posting screenshots, please export config for each of the devices and post back between code quotes (preformatted text).
(minus serial, minus passwds, ...)

And in case you haven't, read and digest this excellent tutorial:

Switch 1:

# 2025-10-16 14:31:27 by RouterOS 7.20.1
# software id = 276N-QS8G
#
# model = C52iG-5HaxD2HaxD
# serial number = <edited>
/interface bridge
add admin-mac=78:9A:18:F0:6B:CB auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add comment="VLAN 12" interface=bridge name=GuestVLAN vlan-id=12
add comment="VLAN 13" interface=bridge name=IOTVLAN vlan-id=13
add comment="VLAN 11" interface=bridge name=MainVLAN vlan-id=11
add comment="VLAN 99" interface=bridge name=ManagementVLAN vlan-id=99
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Main
/interface wifi channel
add band=2ghz-ax disabled=no name="2G AX"
add band=5ghz-ax disabled=no frequency=5260-5380 name="5G AX" \
    skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-n comment="2G N" disabled=no name="2G N"
/interface wifi
# antenna-gain locked, using 4
set [ find default-name=wifi2 ] channel="2G AX" configuration.antenna-gain=0 \
    .country="United Kingdom" .mode=ap .ssid=MikroTik-F06BCF2G disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel="5G AX" configuration.country=\
    "United Kingdom" .mode=ap .ssid=MikroTik-F06BCF disabled=no mtu=1500 \
    name=wifi_5 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface wifi configuration
add channel="2G AX" country="United Kingdom" disabled=no hide-ssid=yes mode=\
    ap name=Default2 security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    NoConnect2
add channel="5G AX" country="United Kingdom" disabled=no hide-ssid=yes mode=\
    ap name=Default5 security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    NoConnect5
/interface wifi
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Default5 disabled=no name=cap-wifi1 radio-mac=\
    D4:01:C3:F0:42:FA
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Default2 disabled=no name=cap-wifi2 radio-mac=\
    D4:01:C3:F0:42:FB
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Default2 disabled=no name=cap-wifi3 radio-mac=\
    04:F4:1C:22:96:C3
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Default5 disabled=no name=cap-wifi4 radio-mac=\
    04:F4:1C:22:96:C4
/interface wifi datapath
add bridge=bridge disabled=no name=Main vlan-id=11
add bridge=bridge disabled=no name=Guest vlan-id=12
add bridge=bridge disabled=no name=IOT vlan-id=13
add bridge=bridge disabled=no interface-list=dynamic name=Manager vlan-id=99
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Main
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Guest
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=IOT
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Management
/interface wifi configuration
add channel="5G AX" country="United Kingdom" datapath=Main disabled=no mode=\
    ap name=Main_5 security=Main ssid=WelcomeToTheNewWorld
add channel="5G AX" country="United Kingdom" datapath=IOT disabled=no \
    hide-ssid=yes mode=ap name=IOT_5 security=IOT ssid=Devices
add channel="5G AX" country="United Kingdom" datapath=Guest disabled=no mode=\
    ap name=Guest_5 security=Guest ssid=MostWelcomeGuests
add channel="2G AX" country="United Kingdom" datapath=Manager disabled=no \
    hide-ssid=yes name=Management security=Management \
    security.authentication-types=wpa2-psk,wpa3-psk ssid=Manager
add channel="2G AX" country="United Kingdom" datapath=Main disabled=no mode=\
    ap name=Main_2 security=Main ssid=WelcomeToTheNewWorld
add channel="2G AX" country="United Kingdom" datapath=Guest disabled=no mode=\
    ap name=Guest_2 security=Guest ssid=MostWelcomeGuests
add channel="2G AX" country="United Kingdom" datapath=IOT disabled=no \
    hide-ssid=yes mode=ap name=IOT_2 security=IOT ssid=Devices
/interface wifi
add channel.frequency=5260-5380 configuration=Guest_2 configuration.mode=ap \
    disabled=no mac-address=7A:9A:18:F0:6B:D1 master-interface=wifi2 name=\
    Guest_2 security.group-key-update=10m
add channel.frequency=5260-5380 configuration=Guest_5 configuration.mode=ap \
    disabled=no mac-address=7A:9A:18:F0:6B:D3 master-interface=wifi_5 name=\
    Guest_5
add channel.frequency=5260-5380 configuration=IOT_5 configuration.mode=ap \
    datapath=IOT disabled=no mac-address=7A:9A:18:F0:6B:D0 master-interface=\
    wifi2 name=IOT_2 security=IOT
add channel.frequency=5260-5380 configuration=IOT_5 configuration.mode=ap \
    datapath=IOT disabled=no mac-address=7A:9A:18:F0:6B:D5 master-interface=\
    wifi_5 name=IOT_5 security=IOT
add configuration=Main_2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:F0:6B:D2 master-interface=wifi2 name=Main_2
add configuration=Main_5 configuration.mode=ap datapath=Main disabled=no \
    mac-address=7A:9A:18:F0:6B:CF master-interface=wifi_5 name=Main_5 \
    security=Main
add configuration=Management configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:F0:6B:D4 master-interface=wifi2 name=Management
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Guest_5 disabled=no mac-address=D6:01:C3:F0:42:FA \
    master-interface=cap-wifi1 name=cap-wifi1-virtual1
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Main_5 disabled=no mac-address=D6:01:C3:F0:42:FB \
    master-interface=cap-wifi1 name=cap-wifi1-virtual2
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Guest_2 disabled=no mac-address=D6:01:C3:F0:42:FC \
    master-interface=cap-wifi2 name=cap-wifi2-virtual1
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=IOT_2 disabled=no mac-address=D6:01:C3:F0:42:FD \
    master-interface=cap-wifi2 name=cap-wifi2-virtual2
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Management disabled=no mac-address=D6:01:C3:F0:42:FE \
    master-interface=cap-wifi2 name=cap-wifi2-virtual3
# operated by CAP 192.168.11.2, traffic processing on CAP
add configuration=Main_2 disabled=no mac-address=D6:01:C3:F0:42:FF \
    master-interface=cap-wifi2 name=cap-wifi2-virtual4
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Guest_2 disabled=no mac-address=06:F4:1C:22:96:C3 \
    master-interface=cap-wifi3 name=cap-wifi3-virtual1
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=IOT_2 disabled=no mac-address=06:F4:1C:22:96:C4 \
    master-interface=cap-wifi3 name=cap-wifi3-virtual2
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Management disabled=no mac-address=06:F4:1C:22:96:C5 \
    master-interface=cap-wifi3 name=cap-wifi3-virtual3
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Main_2 disabled=no mac-address=06:F4:1C:22:96:C6 \
    master-interface=cap-wifi3 name=cap-wifi3-virtual4
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Guest_5 disabled=no mac-address=06:F4:1C:22:96:C7 \
    master-interface=cap-wifi4 name=cap-wifi4-virtual1
# operated by CAP 192.168.11.6, traffic processing on CAP
add configuration=Main_5 disabled=no mac-address=06:F4:1C:22:96:C8 \
    master-interface=cap-wifi4 name=cap-wifi4-virtual2
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.11.20 name=HA username=mqtt_mikrotik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=ManagementPool ranges=192.168.99.20-192.168.99.40
add name=MainPool ranges=192.168.11.20-192.168.11.254
add name=GuestPool ranges=192.168.12.20-192.168.12.254
add name=IOTPool ranges=172.16.0.10-172.16.1.254
add name=dhcp_pool5 ranges=192.168.11.20-192.168.11.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add address-pool=GuestPool interface=GuestVLAN name=Guest
add address-pool=IOTPool interface=IOTVLAN name=IOT
add address-pool=ManagementPool interface=ManagementVLAN name=Management
add address-pool=MainPool interface=MainVLAN name=Main
/system logging action
set 3 remote=192.168.11.44 syslog-severity=emergency
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="SW 2 - HAP ax2" frame-types=admit-only-vlan-tagged \
    interface=ether2 pvid=11
add bridge=bridge comment="SW 3" interface=ether3 pvid=11
add bridge=bridge comment=Main interface=ether4 pvid=11
add bridge=bridge comment=defconf interface=wifi_5
add bridge=bridge comment="Management Port" interface=ether5 pvid=99
# vlan interface already configured on bridge
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ManagementVLAN pvid=99
add bridge=bridge comment=defconf interface=wifi2
# vlan interface already configured on bridge
add bridge=bridge comment=MainVLAN interface=MainVLAN pvid=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge,ether3 untagged=ether5 vlan-ids=99
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether4 vlan-ids=11
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=12
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=13
/interface detect-internet
set lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ManagementVLAN list=LAN
add interface=MainVLAN list=LAN
add interface=GuestVLAN list=LAN
add interface=ether2 list=LAN
add interface=Main_5 list=LAN
add interface=Main_2 list=LAN
add interface=Guest_2 list=LAN
add interface=Guest_5 list=LAN
add interface=IOT_2 list=LAN
add interface=IOT_5 list=LAN
add interface=Management list=LAN
add interface=Main_2 list=Main
add interface=Main_5 list=Main
add interface=IOTVLAN list=LAN
/interface ovpn-server server
add mac-address=FE:CB:22:7D:41:47 name=ovpn-server1
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A18F06BCA certificate=auto enabled=yes \
    interfaces=MainVLAN package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled comment="2 GHz Channels" disabled=no \
    master-configuration=Default2 slave-configurations=\
    Guest_2,IOT_2,Management,Main_2 supported-bands=2ghz-ax
add action=create-enabled comment="5GHz Channels" disabled=no \
    master-configuration=Default5 slave-configurations=Guest_5,Main_5 \
    supported-bands=5ghz-ax
/ip address
add address=192.168.99.1/24 interface=ManagementVLAN network=192.168.99.0
add address=192.168.11.1/24 interface=MainVLAN network=192.168.11.0
add address=192.168.12.1/24 interface=GuestVLAN network=192.168.12.0
add address=172.16.0.1/23 interface=IOTVLAN network=172.16.0.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
add comment="Test for Main" disabled=yes interface=MainVLAN
/ip dhcp-server alert
add interface=MainVLAN
/ip dhcp-server lease
add address=172.16.0.13 mac-address=24:0A:C4:1D:1C:5C server=IOT
add address=192.168.11.44 client-id=1:34:13:e8:2c:ae:c mac-address=\
    34:13:E8:2C:AE:0C server=Main
add address=192.168.11.20 client-id=1:e4:5f:1:df:28:e4 mac-address=\
    E4:5F:01:DF:28:E4 server=Main
/ip dhcp-server network
add address=172.16.0.0/23 comment=IOT dns-server=172.16.0.1 gateway=\
    172.16.0.1
add address=192.168.11.0/24 comment=Main dns-server=192.168.11.1 gateway=\
    192.168.11.1
add address=192.168.12.0/24 comment=Guest dns-server=192.168.12.1 gateway=\
    192.168.12.1
add address=192.168.99.0/24 comment=Management dns-server=192.168.99.1 \
    gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=IOT_2,Main_2,IOT_5,Main_5
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan type=A
add address=192.168.11.20 comment="Home Assistant" name=homeassistant.local \
    type=A
add address=192.168.11.44 comment="Grafana etc." name=pretty.local type=A
add address=192.168.11.1 comment="Main Router" name=router.local type=A
add address=192.168.11.2 comment="Garage Router" name=garage.local type=A
/ip firewall address-list
add address=192.168.99.0/24 list=Management
add address=192.168.11.0/24 list=Main
add address=172.16.0.0/23 list=IOT
add address=192.168.12.0/24 list=Guest
add address=Main comment=Intra-VLAN list=IntraVLAN
add address=Guest comment=Intra-VLAN list=IntraVLAN
add address=IOT comment=Intra-VLAN list=IntraVLAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address=192.168.99.37
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes log=yes log-prefix="Drop Invalid Input: "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix="Drop input not from LAN: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack established, firewall works on new" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="IOT Devices Can Talk to HA" \
    dst-address=192.168.11.20 src-address-list=IOT
add action=accept chain=forward comment="HA Can Talk to IOT Devices" \
    dst-address-list=IOT src-address=192.168.11.20
add action=drop chain=forward comment=\
    "IOT devices can't talk to other people" dst-address=!192.168.11.20 log=\
    yes log-prefix="IOT Peer Drop: " src-address-list=IOT
add action=drop chain=forward comment=\
    "Drop packets from IOT network to the Internet" log=yes log-prefix=\
    "IOT Internet Drop: " out-interface-list=WAN src-address-list=IOT
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes log=yes log-prefix="Drop Invalid:"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=reject chain=forward comment="Drop Intra-VLAN packets" \
    dst-address-list=IntraVLAN reject-with=icmp-net-prohibited \
    src-address-list=IntraVLAN
add action=drop chain=forward comment="Drop from normal VLANs to management" \
    dst-address-list=Management src-address-list=IntraVLAN
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable, fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip traffic-flow
set active-flow-timeout=40m inactive-flow-timeout=17s
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=MainMikrotik
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
add topics=caps
/system ntp client
set enabled=yes
/system ntp server
set broadcast-addresses=192.168.11.255 enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether2
add interface=ether1
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=192.168.11.27 name="Work Laptop" type=icmp
add host=192.168.11.2 name="Garage Router" type=icmp
/tool romon
set enabled=yes
/tool sniffer
set file-limit=3000KiB file-name=dhcp.log filter-interface=ether3 \
    filter-ip-protocol=udp filter-port=bootps,bootpc

Switch 3:

host.b:[],acl.b:[],.pwd.b:{pwd:''},vlan.b:[{vid:0x01,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},{vid:0x0b,prt:[0x02,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},{vid:0x0c,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},{vid:0x0d,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},{vid:0x63,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00}],link.b:{nm:['506f727431','506f727432','506f727433','506f727434','506f727435','534650'],en:0x3f,an:0x3f,spdc:[0x00,0x00,0x00,0x00,0x00,0x00],dpxc:0x3f,fct:0x3f,poe:[0x01,0x01,0x01,0x00,0x00,0x01],prio:[0x00,0x00,0x01,0x02,0x03,0x00]},fwd.b:{ir:[0x00,0x00,0x00,0x00,0x00,0x00],or:[0x00,0x00,0x00,0x00,0x00,0x00],fp1:0x3e,fp2:0x3d,fp3:0x3b,fp4:0x37,fp5:0x2f,fp6:0x1f,lck:0x00,lckf:0x00,imr:0x00,omr:0x00,mrto:0x01,vlan:[0x02,0x02,0x02,0x02,0x01,0x01],vlnh:[0x02,0x00,0x00,0x00,0x00,0x00],vlni:[0x01,0x00,0x01,0x02,0x00,0x00],fvid:0x00,dvid:[0x0b,0x0b,0x0b,0x0b,0x0b,0x01],srt:[0x00,0x00,0x00,0x00,0x00,0x00],suni:0x00},rstp.b:{ena:0x3f},snmp.b:{en:0x01,com:'7075626c6963',ci:'',loc:''},sys.b:{ip:0x180ba8c0,id:'535733202d205242323630475350',wdt:0x01,dsc:0x01,pdsc:0x3f,ivl:0x01,alla:0x00,allm:0x00,allp:0x3f,avln:0x00,prio:0x8000,cost:0x00,frmc:0x00,igmp:0x00,igmq:0x00,sip:0x0358a8c0,iptp:0x00,lcbl:0x00,igfl:0x00,igve:0x01}

WapAX:

# 2025-10-15 19:06:32 by RouterOS 7.20.1
# software id = T2FM-WY2F
#
# model = wAPG-5HaxD2HaxD
# serial number = <edited>
/interface bridge
add admin-mac=04:F4:1C:22:96:C2 auto-mac=no comment=defconf name=bridge
/interface wifi
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: NoConnect2, channel: 2412/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap .ssid=\
    Broke disabled=no
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: NoConnect5, channel: 5320/ax/eeeC/DI
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.manager=capsman .mode=ap \
    .ssid=MikroTik-2296C3 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=GuestVLAN vlan-id=12
add interface=bridge name=IoT vlan-id=13
add interface=bridge name="Main VLAN" vlan-id=11
add interface=bridge name=Management vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=11
add bridge=bridge comment=defconf interface=*4 pvid=11
add bridge=bridge comment=defconf interface=wifi2 pvid=11
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=MainVLAN tagged=ether1,bridge vlan-ids=11
add bridge=bridge comment=Guest tagged=bridge,ether1 vlan-ids=12
add bridge=bridge comment=IoT tagged=bridge,ether1 vlan-ids=13
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi cap
set caps-man-addresses=192.168.11.1 certificate=none discovery-interfaces=\
    "Main VLAN" enabled=yes
/ip address
add address=192.168.88.240/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.11.6/24 interface=bridge network=192.168.11.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name="WAP Ax 1"
/tool mac-server
set allowed-interface-list=LAN

1- why do you still have firewall on that wap AX ?
2- your switch3 is configured with trunk port to wap AX but there is no VLAN filtering on wAP AX ?
Why not ?
3- since that wAP AX is managed by capsman from AX2, at least the VLAN for management channel should be used. And that trunk from Switch3 also needs to carry all vlans which are passed on via capsman (I count 11, 12, 13, 99 in datapath settings).

Ever looked at this example ?

Hi holevoetn,

Thanks for looking at this.

1. All the firewall rules are disabled in the WAP AX. Is there some other way to disable it? I couldn’t see anything (and google did not suggest any other approach.)

2. I aim to turn on VLAN filtering eventually, but at the moment whenever I do this I lose connection to the WAP AX, this is one of my issues.

3. I believe all the VLANs are in the switch:

vlan.b:[{vid:0x01,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},
{vid:0x0b,prt:[0x02,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},
{vid:0x0c,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},
{vid:0x0d,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00},
{vid:0x63,prt:[0x00,0x00,0x00,0x00,0x00,0x00],ivl:0x01,igmp:0x00}],

I think I have looked at that example in the past, but I will review again. I’m not sure I understand how it would relate to the problem with Switch 3 loosing connectivity after ten minutes though?

1- Ah yes, they are all disabled. Missed that.
(My personal view) I prefer to remove firewall rules when they are not in use for normal operation of a device. If they are not there, I can not make mistakes about them either. Not on the device (although it would be visible there). Not in export of config.
2- Remove port 2 from bridge, you can then use that port to access via Winbox/Mac access.
3- Can't tell. I don't even know what device/brand that config comes from. So I had to rely on your drawing and there it is not mentioned.
EDIT: just took backup from a CSS318 switch also running SWOS and opened it in Notepad++.
It's readable as in you can read the characters but other then that, it's not understandable what is what.

This one you also should change:

/ip address
add address=192.168.88.240/24 comment=defconf interface=bridge network=\
    192.168.88.0

You should not put IP address on bridge when using VLAN.
Use whatever VLAN you use as mgmt vlan (pvid=99 ?).
Add VLAN interface to bridge and then set IP address on that interface (the other VLAN itfs are not needed on wAP AX, they simply pass that device via trunk and datapath).
You also will have make sure to set ether1 as proper trunk for all required VLAN ids (it's not as it is now).

This is also a left-over which needs to be cleaned:

add bridge=bridge comment=defconf interface=*4 pvid=11

The moment you see that * in export, you know you deleted something which needs cleanup.

It’s a shame that the SwOS exports are not structured like the RouterOS exports!

I think my key error was having the IP address on the bridge, thank you for pointing that out. Once I fixed that the VLAN filtering was able to work.