This is a simplified version of setup.
Alice has one wireless device and one wired device.
Bob has one wireless device and one wired device.
They are both connected to a single hAP ac².
I want Alice’s devices on separate VLAN and Bob’s devices on separate VLAN.
Alice’s devices can talk to each other, but can not to Bob’s and vice versa.
How many VLANs do I have to setup on a single hAP ac²? Can this even be achieved? Doed wireless need a seperate VLAN?
Thanks.
Do you want any normal LAN type traffic for anyone on this device (or only the VLANS)?
You can assign the VLAN to travel on both ethports(physical cable) and WLANs 0r VWLANS via a single bridge.
Is the hap ac2, acting as a router (DHCP client to ISP) or is attached to a main router and using it more like an AP/switch??
With routerOS you can achieve everything (or almost).
How to do your isolation depends on the level of security you want.
If you want to separate broadcast domains (L2) you can use VLAN. But router will still connect those
networks together at L3. To seperate at that level you need Firewall (you can also firewall at bridge level).
So in theory you could only use firewall (all clients are on same broadcast domain) if you assign the MAC addresses fixed IP addresses
and use them to allow/block traffic on ininterface and outinterface “bridge”.
That would be ok if you consider all users of your network “friendly”, not seeking to hack anything.
For both VLAN and firewall you need some fiddling around, its not too complicated but you need to spend some time on it
(but you can then extend to as what ever you want).
Maybe a simpler start: In Hap-ac2 you have quick set "Home AP " (or something like that).
USe that and enable “guest network”, you can rename then this network to Bob-network for example
and the main network to Alice network.
Then you have already to two bridges and Wifi’s set up correctly with security etc.
You can then isolate the clients and adjust to what you need and learn from that (or add different VLAN to each bridge) .
Hope this helps in get going…
hAP ac² is the only router/gateway/AP on the network.
I want isolation if Alice’s devices get compromised that they don’t infect Bob’s devices.
My concern is that I have to make a VLAN for a Alice’s wired device and VLAN for a Alice’s wireless device and also two VLANS for Bob’s wired and wireless devices.
Can I make just one VLAN for Bob devices?
Yes, the nice things about vlans is that are valid over both wired and wireless connections.
Only two vlans, one for each.
You still didnt answer if there was a normal LAN in the mix for everyone else.
Should we assume
eth1-wan port
eth2-5 are for the LAN
WLAN1 - 2.4ghz radio (for house older wifi needs)
virtualwlan1-a
virtualwlan2-b
WLAN2 -5ghz radio (for house smartphone needs)
virtualwlan2-a
virtualwlan2-b
(create virtual radios specifically for the wifi needs of Alice and Bob and for which to associated vlans with!!)
(just a suggesting not sure what is on your device as default - I am assuming two radios)
(do you want only one wifi network to use for them or split it up or what??
You dont need to complicate things with Vlans, just use separate subnets and block with firewall
Yes. Don’t complicate with VLANS in this situation
for example.
eth2 and eth3 + wlan1 in BRIDGE-A with IP 192.168.50.x/24 and one DHCP server
eth4 + virtual-wlan1 in BRIDGE-B with IP 192.168.60.x/24 and one DHCP server also
even, you can give bandwidth to each bridge, PCQ queues and “play” a lot with this.
I only know the pre 6.43 ways of VLAN ( I heard it changed recently):
Create two bridges: Bob and Alice
Create Virtual WLAN AP-Bridge for 2.4G and 5G for Alice and Bob (you can use same SSID for 2.4G and 5G to make it seamless)
Create 1 VLAN per Wifi AP (one for 2.4G and one for 5G) , put it into the corresponding bridge (via PORT).
Add also to the bridge the ETH port you would like to add for Bob and the one for Alice.
Create DHCP server with different IP range for each bridge.
Now these devices can’t see/discover each other on L2 anymore.
But then as said, even with VLAN, the router will still route from VLAN Bob to VLAN Alice at L3.
To disable this you need to drop all cross VLAN communication (action drop chain forward from in interface bridge BoB to out interface bridge Alice
and another one in the other way).
That way you get them completely separated but each one has a complete Wifi network and ETH network for himself…
You can add as much of these separated networks as you want (for control, IOT, guests etc.).
Hope this helps.
Thank you all.