hAP ax2 C52iG

SergeTrouinard · February 18, 2026, 4:44pm

With an hAP ax2 C52iG os 7.16.2 I try to configure a LAN with VLAN, but when activate VLAN Filtering the router rollback.
I didn't find any example for the C52iG ?
Can somedy hekp me to do this ?

Best regards

gigabyte091 · February 18, 2026, 6:47pm

Hello,

In order for us to be able to help you please provide more informations. How many VLANs do you need ? What are you trying to achieve ?

Simple network diagram and configuration export would be great.

SergeTrouinard · February 19, 2026, 9:35am

Hello,

I want to create an all-in-one router/switch/access point like the one shown at Using RouterOS to VLAN your network - #3 by pcunite .

Three VLANs: one for internal PCs and printers (ether 2-4, WiFi2GHz, WiFi5GHz), one for guests (WiFi Guest) and one for management (ether5, WiFi MGMT)

Later, I will, perharps, add a other VLAN for IoT devices.

thanks a lot

Serge

gigabyte091 · February 19, 2026, 11:50am

Can you export your configuration so we can see what did you try to do by yourself ?

Here is tutorial on how to do it:

mkx · February 19, 2026, 11:56am

I'm guessing that you're using safe mode and the port you're connected through is member of bridge on which you're changing VLAN settings? In this case it is pretty much expected to see config roll-back because your management connection is likely to break. If you're sure you will be able to reconnect, then you have to exit safe mode right before enabling vlan filtering.

Or better yet: take one port off bridge and use that one to connect while configuring VLAN stuff. If you can use WinBox (for MAC connectivity), then you don't need any further setup on that port. When you can get management access through ports of vlan-enabled bridge, you can add the off-bridge port to the bridge (or leave it off bridge if you don't need all ports).

jaclaz · February 19, 2026, 12:30pm

In case of need:

SergeTrouinard · February 20, 2026, 6:54am

Hello,

Here is my configuration before enabling VLAN Filtering

anav · February 20, 2026, 2:55pm

Not quite accurate, you didnt follow pc unites example very closely.
Do not mix apples and oranges, aka once you use vlans do not have the bridge doing any dhcp just bridging)
Also you state 3 vlans but yet you only have two pools???, one dhcp server???, two vlans identified??, one dhcp-server-network.

Aka also an incomplete setup.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As for configuring the router, the safest way to do vlan-bridge filtering to avoid burps, rollbacks etc is to use an off bridge port for configuration purposes and emergency access purposes.
Consists of taking one port off the bridge, give it its own address like 192.168.77.1/30, add it to the interface list LAN, and any mgmt interface list and then one can enter and config the router by entering onto your PC ipv4 settings manually 192.168.77.2 and with user name and password you are in.

In your case vlan99 on port 5 is useless as if there is a bridge issue, you will not be able to access the router, instead use the off bridge port method.

Now I am not saying get rid of the management vlan as that is what you will need if you add any other smart devices to your network as they will get an IP on the MGMT network etc………..
For example you might put a managed switch ( I use Hex for that ) right next to your computer and thus run a trunk port between the router and the switch carrying many vlans to your PC and you can choose which one you want to hook the PC up to, for troubleshooting etc…. Or you might put a shared printer on one of the switch ports !!!

For now left most of the mgmt entries in place but disabled.

++++++++++++++++++++++++++++++++++++++++++++++++++

REMOVE serial number from your post above.

++++++++++++++++++++++++++++++++++++++++++++++++++++

If not using iPV6 disable the services and remove all addresses and most firewall rules

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++


/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5 
/interface bridge
add admin-mac=F4:1E:57:F5:C6:F1 auto-mac=no comment=defconf name=bridge \
vlan-filtering=no  { change to yes as last step, but from the off bridge port }
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-n .frequency=2412 
.skip-dfs-channels=10min-cac .width=20mhz configuration.country=France 
.hide-ssid=yes .mode=ap .ssid=HomeSL2GHz disabled=no name=wifi_Home_2GHz 
security.authentication-types=wpa2-psk .encryption=ccmp .ft=no 
.ft-over-ds=no .group-encryption=ccmp .management-protection=disabled
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=
10min-cac .width=20/40/80mhz configuration.hide-ssid=no .mode=ap .ssid=
HomeSL5GHz disabled=no name=wifi_Home_5GHz security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add comment="inerface VLAN GUEST" interface=bridge name=GUEST_VLAN vlan-id=30
add comment="Interface VLAN MGMT" interface=bridge name=MGMT_VLAN vlan-id=99 \
   disabled=yes
add comment=”home VLAN” interface=bridge name=HOME_VLAN vlan-id=10
add comment=”IOT VLAN”  interface=bridge name=IOT_VLAN vlan-id=60
/interface wifi
add comment="Wifi Guest" configuration.mode=ap .ssid=GuestSL disabled=no \
mac-address=F6:1E:57:F5:C6:F5 master-interface=wifi_Home_5GHz name=\
wifi_Guest security.authentication-types=wpa2-psk .encryption=""
{ add 2ghz WIFI for IOT devices as required }
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
add comment="MGMT POOL" name=MGMT_POOL ranges=192.168.99.2-192.168.99.254 \
    disabled=yes
add name=GUEST_POOL  ranges=192.168.30.2-192.168.30.254
add name=IOT_POOL ranges=192.168.60.2=192.168.60.254
/ip dhcp-server
add address-pool=default-dhcp interface=HOME_VLAN bridge name=defconf
add address-pool=GUEST_POOL interface=GUEST_VLAN bridge name=server-guest
add address-pool=MGMT_POOL interface=MGMT_VLAN bridge name=server-mgmt
add address-pool=IOT_POOL interface=IOT_VLAN bridge name=server-iot
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether2\ pvid=10
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether3\ pvid=10
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether4\ pvid=10
add bridge=bridge frame-types=admit-priority-and-untagged \                 interface=wifi-Home_5GHz pvid=10
add bridge=bridge frame-types=admit-priority-and-untagged \ interface=wifi_Home_2GHz pvid=10
add bridge=bridge frame-types=admit-priority-and-untagged \ interface=wifi_Guest-5GHz pvid=30
add bridge=bridge frame-types=admit-priority-and-untagged \ interface=wifi_Iot-2GHz pvid=60
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge comment="Home vlan” tagged=bridge untagged=ether2,ether3,ether4,\
   wifi-HOME_5GHz,wifi_HOME_2GHz  vlan-ids=10
add bridge=bridge comment=GUEST_VLAN tagged=bridge untagged=wifi_Guest \
   vlan-ids=30
add bridge=bridge comment=IOT_VLAN tagged=bridge untagged=wifi_Iot-2GHz \
   vlan-ids=60
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=MGMT_VLAN list=LAN disabled=yes
add interface=HOME_VLAN list=LAN
add interface=GUEST_VLAN list=LAN
add interface=IOT_VLAN list=LAN
add interface=OffBridge5 list=LAN
add interface=MGMT_VLAN list=TRUSTED disabled=yes
add interface=OffBridge5 list=TRUSTED
/ip address
add address=192.168.10.1/24 comment=defconf interface=HOME_VLAN \
   network=192.168.10.0
add address=192.168.99.1/24 interface=MGMT_VLAN network=192.168.99.0 \
    disabled=yes
add address=192.168.30.1/24 comment=GUEST_VLAN interface=GUEST_VLAN \
   network=192.168.30.0
add address=192.168.60.1/24 comment=Iot_VLAN interface=IOT_VLAN \
   network=192.168.30.0
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.10.2 client-id=1:0:11:32:70:19:32 mac-address=
00:11:32:70:19:32 server=defconf
add address=192.168.10.5 client-id=1:f8:a2:6d:a5:20:de mac-address=
F8:A2:6D:A5:20:DE server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 \
   gateway=192.168.10.1
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.1 \
   gateway=192.168.30.1
add address=192.168.60.0/24 comment=defconf dns-server=192.168.60.1 \
   gateway=192.168.60.1
add address=192.168.99.0/24 comment=defconf dns-server=192.168.99.1 \
   gateway=192.168.99.1  disabled=yes
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=192.168.10.5 list=PRINTER
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address=127.0.0.0 dst-address=127.0.0.0 interface=lo
++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accepted chain=input comment=”admin access” in-interface-list=TRUSTED
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \ 
   dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
   dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="internet traffic” \                       in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="printer access all - except iot” \
 dst-address-list=PRINTER in-interface-list=LAN !src-address=192.168.60.0/24
add action=accept chain=forward comment="admin to vlans”  \                in-interface-list=TRUSTED out-interface-list=LAN
add action=drop chain=forward comment=”drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" 
ipsec-policy=out,none out-interface-list=WAN
/ipv6 settings
set disable-ipv6=yes 
/ipv6 firewall filter
add action=drop chain=input 
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
```

SergeTrouinard · February 20, 2026, 4:09pm

Hello,

Here is my configuration before enabling VLAN Filtering.

VLAN_MGMT_GUEST(1).rsc (8.4 KB)

Thank you very much. It's much clearer now.

I'll manually configure the steps in your script so I fully understand what it does.

Thanks a lot.

SergeTrouinard · February 23, 2026, 11:24am

Hello,

I've successfully configured all the VLANs. It's exactly what I expected.

Thank you so much for your help.

Serge