Help separating vlans for iot and smart-tvs

Hi everyone,

I have upgraded my network equipment and changed my old home wireless router and access point with two mikrotik HAP AC2. One acts as a main router, connecting to the internet, and the second HAP AC2 has been configured as a basic AP, in the same subnet. The connection between them is done with a gigabit ethernet link.
The internet connection is tagged with the provider assigned VLAN, which is already done.
Basic configuration is working great, wlan are configured with different ssids for 2.4GHz and 5GHz bands and wifi coverage is great, with even more performance than with the old routers.

Now I want to migrate my IOT and smart-tv&speakers to separate VLANs, something like other users do nowadays as our home networks keep growing.

I guess that I have to (almost) duplicate the bridges wlan and VLAN configuration on both HAP AC2s, then reconfigure the ethernet link between them with a “trunk”" port on each router(switch).

The topology and architecture that I have in mind is this:

Each VLAN would be in a different subnet, then I would go with firewall rules to let some devices connect to the IOT devices.

Is it right?

What would be the right order for configuring both HAPs without loosing total connectivity with the home control system, iot devices and smarttvs?
To reduce the number of devices to reconfigure I’d like keep the IOT devices (15+) in the existing subnetwork 192.168.0.0/24, creating new subnets and VLANs for the other devices.

Could you point me to some tutorial with a similar topology?

Thanks in advance

After a couple of days trying some configurations and reading tutorials like this http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I can’t make the dhcp servers associated to the vlans assign any IP address. Any idea of what can I try? I created a bridge and the vlans associated with the wlans are into the bridge.
Each vlan has an IP address associated.

I have a similar setup with capACs, works fine. Will try to post something tomorrow that should help.
Just to be clear your hapacs have four available networks, or two available networks and the second 2.4 and second 5hz wifi networks are actual virtual??

Thanks for your reply, I appreciate if you can show some working example. Following the tutorial stated before I can’t make it work.

To clarify, I’m trying to configure an AP and a virtual AP for each band (2.4 and 5 GHz) on the HAP AC2s

In most of the the cases when DHCP server doesn’t work on vlans after initial configuration, the reason is somebody forgets to add bridge itself as a tagged member of all needed vlans, and as a result - all vlan-interfaces configured on that bridge are actually not connected anywhere.

Suggest you post a working config for review.
/export hide-sensitive file=yourconfig

(also delete any WANIPs and gateway addresses, and any WIFI passwords etc…)

Thanks for the reply. I double-checked (actually checked it five times -until I found the “Safe Mode” in WinBox) and I guess that the Bridge is a tagged member of all vlans.

In order to stop guessing post your:

/export hide-sensitive

I maintained the original config, with the bridge “BR_original”.
When I move some of the interfaces to the new bridge “BR1” I can ping the VLAN IP that I assigned (192.168.10.1, 192.168.20.1, …) from a client connected to the wlan1, but wireless clients get no address from the corresponding dhcp-server. Setting an static ip address and connecting to wlan2 is not routing anything.
Wish someone can help with this issue…

Please find the exported configuration below:

# oct/14/2019 21:03:23 by RouterOS 6.44.5
# software id = T6D5-IK67
#
# model = RBD52G-5HacD2HnD
/interface bridge
add comment=Bridge1 name=BR1 protocol-mode=none vlan-filtering=yes
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=BR_original \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx name=\
    ether1-gateway
set [ find default-name=ether4 ] name=ether4-trunk
/interface vlan
add interface=BR1 name=VLAN_BASE vlan-id=99
add interface=BR1 name=VLAN_HOME vlan-id=10
add interface=BR1 name=VLAN_IOT vlan-id=30
add interface=BR1 name=VLAN_SMART vlan-id=20
add interface=ether1-gateway name=vlan24-internet vlan-id=24
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=\
    vlan24-internet keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=\
    pppoe-out-fiber use-peer-dns=yes user=xxxxxxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=home supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=HOME2 supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=homeiot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=HOME2tv supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n comment=\
    "wlan1 = HOME (2.4 GHz)" disabled=no distance=indoors \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=home \
    ssid=HOME wireless-protocol=802.11 wps-mode=disabled
add comment="wlan1.1 = HOMEIOT (2.4 GHz)" disabled=no hide-ssid=yes \
    keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=\
    wlan1 multicast-buffering=disabled name=wlan1.1 ssid=HOMEIOT \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX comment="wlan2 = HOME2 (5 GHz)" \
     disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain mode=ap-bridge security-profile=HOME2 ssid=\
    HOME2 wireless-protocol=802.11 wps-mode=disabled
add comment="wlan2.1 = HOMESMART (5 GHz)" disabled=no hide-ssid=yes \
    keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=\
    wlan2 multicast-buffering=disabled name=wlan2.1 security-profile=\
    HOME2smart ssid=HOMESMART wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
/interface wireless manual-tx-power-table
set wlan1 comment="wlan1 = HOME (2.4 GHz)"
set wlan1.1 comment="wlan1.1 = HOMEIOT (2.4 GHz)"
set wlan2 comment="wlan2 = HOME2 (5 GHz)"
set wlan2.1 comment="wlan2.1 = HOMESMART (5 GHz)"
/interface wireless nstreme
set wlan1 comment="wlan1 = HOME (2.4 GHz)"
set wlan1.1 comment="wlan1.1 = HOMEIOT (2.4 GHz)"
set wlan2 comment="wlan2 = HOME2 (5 GHz)"
set wlan2.1 comment="wlan2.1 = HOMESMART (5 GHz)"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=dhcp-home ranges=192.168.0.110-192.168.0.190
add name=POOL_HOME ranges=192.168.10.200-192.168.10.254
add name=POOL_SMART ranges=192.168.20.200-192.168.20.254
add name=POOL_IOT ranges=192.168.30.200-192.168.30.254
add name=POOL_BASE ranges=192.168.99.200-192.168.99.220
/ip dhcp-server
add address-pool=dhcp-home disabled=no interface=BR_original name=\
    dhcp-server-home
add address-pool=POOL_HOME disabled=no interface=VLAN_HOME name=DHCP_HOME
add address-pool=POOL_SMART disabled=no interface=VLAN_SMART name=DHCP_SMART
add address-pool=POOL_IOT disabled=no interface=VLAN_IOT name=DHCP_IOT
add address-pool=POOL_BASE disabled=no interface=VLAN_BASE name=DHCP_BASE

/interface bridge port
add bridge=BR_original comment=defconf interface=ether2
add bridge=BR_original comment=defconf interface=ether3
add bridge=BR_original comment=defconf interface=ether4-trunk
add bridge=BR1 comment="MNGMT VLAN99" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=99
add bridge=BR_original comment=defconf interface=wlan1
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1.1 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2.1 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=ether4-trunk untagged=wlan2 vlan-ids=10
add bridge=BR1 tagged=ether4-trunk untagged=wlan2.1 vlan-ids=20
add bridge=BR1 tagged=ether4-trunk untagged=wlan1.1 vlan-ids=30
add bridge=BR1 tagged=BR1 untagged=ether5 vlan-ids=99
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes
/interface list member
add comment=defconf interface=BR_original list=LAN
add comment=defconf interface=pppoe-out-fiber list=WAN
add disabled=yes list=WAN
add interface=VLAN_BASE list=VLAN
add interface=VLAN_HOME list=VLAN
add interface=VLAN_SMART list=VLAN
add interface=VLAN_IOT list=VLAN
add interface=VLAN_BASE list=BASE
/ip address
add address=192.168.0.1/24 interface=BR_original network=192.168.0.0
add address=192.168.99.1/24 interface=VLAN_BASE network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN_HOME network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN_SMART network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_IOT network=192.168.30.0

/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=LAN-home
add address=192.168.0.0/24 list=LAN-IOT
add address=a6470abe9f63.sn.mynetname.net list=WAN_IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=VLAN_BASE
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "defconf: masquerade (MASQ srcnat TO WAN(INTERNET) )" ipsec-policy=\
    out,none out-interface-list=WAN

/system identity
set name=MikroTik1
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Done

Bridge BR1 is tagged member only of VLAN 99 … but should be tagged member of all VLANs which have their corresponding vlan interface (10, 20 and 30).

Thank you very much, with all the try-edit-and-changes i thought I had tagged it.

Now it’s working:

Told ya!

My fault! I promise I tagged it at least once!

Thanks for your help.

Now I’m reviewing the second Hap AC2. Probably I’ll come back with other questions.

The second should not be a problem:
+1 local port to add to the bridge;
-1 wan port and everything related to connecting to the outside world;
-all dhcp servers;
+1 dhcp client on one of the vlan-interfaces (on this device it is actually ok if the bridge is a tagged member for only one vlan - to have access to the device itself).

Thank you !
It’s working (almost) like a charm.
Once I added the management PVID 99 to both trunk ports everything started to work.

I also found that when I disabled the first bridge that I created, the clients could’nt connect to the internet. Then I noticed that the new bridge didn’t have an assigned MAC address. Strange…

Finally, I have all the wireless devices being tagged on the corresponding VLAN and acquiring leases from the corresponding DHCP server (HOME-IOT-VLAN). That’s good.

And just now I’ve just finished migrating the wired devices to their separate VLAN.
Some of the devices needed a restart to get a new IP from the new pool, but that was all.

Thanks again for your suggestions.

Would you kindly share you final working configuration? I have similar requirements for new devices and would appreciate you sharing you config so I can use it as the base to tailor for my requirements. Thanks in advance

I’m afraid I’m far from home right now, let me put it in my todo list.
Basically I followed the tutorials stated in the first posts http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
The only change that I did was renaming the interfaces and vlan names, configuring a trunk port and finally adding all vlans to the bridge.

Feel free to remind me in a few days if I’m unable to connect.

Thanks, I have actually gone through it but its not identical to my requirements. I am looking to use my RB4011 with a CAP AC where I need to isolate my NAS and CCTV/IP CAMs, my Home WIFI from the guest WIFI. NAS (ether port 5) in VLAN along with the IP CAMs (connectedt to CAP AC through one of the AP SSIDs) while guests and Home users are connected to different SSIDs on the same CAP. Your setup looks close to what I am looking for, appreciate if you can share the configs once you’re able to do so. Again, thanks.

It’s been a few weeks, any chance you can still post your final config?