I need advice about how to separate AP for guest network behind unmanaged switch? And what would you recommend to use as AP to have ability to control traffic on AP but isolate clients from each other and isolate from home network as well. Thanks.
What are you using as the AP for guest network? You could connect the AP direct to your router and then connect the unmanaged switch with the server and desktop to the second port on the AP.
How are you doing your guest network? It would be normal to use a vlan, but you could just use a separate IP subnet with no route to your main subnet.
What is your unmanaged switch capable of? If you are using vlans, some unmanaged switches will respect vlans, without actually participating.
Short answer no, either get a managed switch or put the AP directly on a port, or use a virtual WLAN on the hapax3 for the guest wifi.
It is quite doable. I have suggested 3 ways, of which the first is completely compliant with your thinking, if OP reconfigures slightly and uses the AP as the managed switch.
How to assume the AP is a smart AP??
Unfortunately I cannot put guest AP directly in router, there is only one cable between switch and router. Router, switch and guest AP are on different rooms around house.
Switch is TP-Link TL-SG1005P.
I did not decided yet what to use as AP. I need to cover one large room (about 40m2) where maximum 10 smartphones connect regularly. It doesn’t need to be anything fast. I just want to isolate guest clients and separate them from home network. Listing bounded connections to guest AP would be nice but not necessary.
@anav Room, where I need guest AP is outside of hAP ax3 wifi range.
I’d like suggestions if buying specific AP could solve my problem or if managed switch is necessary as well?
Then the switch should be unmanaged but passthrough;
https://community.tp-link.com/en/business/forum/topic/672294
You can use any Mikrotik AP you like, do you need both 2.4 and 5 GHz coverage for guests?
Maybe an older used one might be enough.
Yes, one suggestion would be a TPLINK smart AP, whereas Ductview notes, one could send vlans from the mikrotik to the TPLINK AP, one to manage the router, one for guest network (and one for trusted network if needed) and one to pass onto the unmanaged switch for whatever vlan it needs…
Would have to pick a TPLINK smart AP with at least two ports……
The model would have to be a WALL model, they have multiple ports and they have the software,
that allows one to set PVID on those ports, so trunk in on ether1, and access port out to unmanaged switch
etc on ether2 or ether3. for example.
However, I think better would be another Mikrotik product that does both for what should be a cheaper price, than TPLINK. Something like the HAP axS ( which is far more configurable than any tplink). This would in effect replace the unmanaged switch in terms of dishing out vlans to your devices, one of which would be the unmanaged switch.
A single 40 sqm room, let's say 5x8 or 6x7 would be better covered by a ceiling AP in the middle, i.e. a cAP if Mikrotik OR by a wAP Ax in a corner.
As others have said, you can try to use the unmanaged switch as a passthrough. It should not interfere with the 802.1q headers. However whether it will support the 1522 bytes of frame size is another question (see https://www.tp-link.com/us/support/faq/697/ for a test). You would do yourself a huge favor by replacing that unmanaged switch with a manageable one.
If you can't replace the unmanageable switch and can't use the passthrough method and if the AP supports it, a possibility is to create a L2 tunnel between the AP and the hAP ax3, and bridge your guest network over that L2 tunnel.
Lastly, if you use a Mikrotik AP, CAPsMAN in manager forwarding mode would be possible (CAPsMAN Manager Forwarding Mode)
You may want to skim this thread Full wifi device isolation
Another useful reference if you want to avoid vlans Isolated Guest WiFi Sans VLANs
If you use a wifi router with a guest wifi and it supports client isolation and outgoing firewalls (MikroTik routers do), then you could also configure outbound firewall that would allow access to the gateway but block access to private address space (rfc1918 blocks). Then a guest wifi client would not be able to communicate with other guest wifi users (client isolation), and be blocked from accessing devices on your LAN (which should be using a private ip address) even though the traffic (to interenet) is passing through your LAN.
A vlan-aware switch is best, but I have not found any dumb switches made since 2000 that don't pass baby giant/jumbo packets.
The only switch I own that does not have a setting that allows vlan-transparent mode is an HP 1810 24 (J9801A) managed switch that can't be set to vlan-transparent mode, and it requires you to define every vlan you want to pass on every port that will use the vlan. In the HP 1810 switch's factory default setting it has all ports as access ports for vlan 1. Any tagged traffic is blocked. It can be configured to explicitly allow specific tagged vlans through, there isn't any global setting that makes it behave like a MikroTik switch with vlan-filtering=no.
So I my experience, a recent dumb switch is more likely to offer a vlan-transparent mode than a managed switch. The managed switch gives you a lot more functionality, but with it more complexity.
Thats why i suggested the hap axS, its an excellent switch and access point that can serve mulitiple WLANs.
I wouldn't suggest that device to anyone right now.
Not in the state it currently is.
Some quirks and wrinkles which still need ironing out.
oooh that bad? Since its not RoS, you are saying the hardware is not any good?
Has mikrotik pulled it from the shelves, not being sold……… if indeed its not good?
I'm still assuming it's all SW related.
Basically, it's a Hex S 2025 (with all comments, quirks and limitations that came with that platform, especially on ether1 and SFP connection to CPU) and then Mediatek wifi was simply added to CPU.
Very first device using that driver so it may be a bit normal things are not yet smooth sailing on that front either.
IMHO, but who am I, this device should not have been released with current SW versions.
Latest beta already brought some improvements to Mediatek drivers. So shortly after release ?
As an example: wifi performance is dramatic using Belgium as country (as in: most of the times it simply doesn't connect). Using Panama it connects each time. That's driver/SW, right ?
However, I am pretty sure things will be fixed given time (MT normally does so I have no indications this will be different) and then we can move on.
1 Like
If we go back to the topic, the OP:
- Already owns a hAP Ax3
- Already owns a TP-LINK TL-SG1005P
- Needs to buy a new Access Point device for this added large room
This access point could be, depending on budget/requirements/actual room cabling:
Traditional:
hap Ax lite - 2.4 GHz only - $59
hap AX2 $99
hap AxS $79 <- but still with some (many) wrinkles to be ironed out
Ceiling:
Cap Ax - $119
Wall/corner:
Wap Ax - $89
So, he can procure this new AP, then he can test if the already existing switch allows to have VLANs passthrough untouched (it should, but better test).
If - as it seems - the unmanaged switch allows the VLAN marked packets, no problem.
Should - for whatever reason - NOT allow that, the cheapest suitable managed switch would probably be the RB260GS $40:
https://mikrotik.com/product/RB260GS
Nope, it's different continent. 
If using MT devices on both sides of unmanaged switch and it appears it does not handle VLAN properly, put EOIP tunnel over both MT devices and done.
Not needed to change switch itself only for that.
Performance wise replacement is the better option but not mandatory.