Issues with multi-SSID VLAN configuration on cAP ax

Hi everyone!
I’ve got few Mikrotik devices [R5009, CRS310-8G and cAP AX] and I’m trying to create SOHO network (as well as to hone my networking skills a bit more).
All devices are running latest available packages (7.16.1 at the time of writing the post)

So far, I’ve managed to get router and switch working just fine, with PC connected via switch and traffic being handled via VLAN (I think, at least).
Issue is, no matter what I try, seems like I cannot get cAP to correctly have few wifi networks for VLANs: 30,31,32,40.
Even when trying to utilize built-in wifi1 or wifi2 with basic configuration (security set, datapath VLAN ID set to 30) end device (phone in this test case) cannot obtain IP address from DHCP on router.
What exactly has to be done to set up multiple SSIDs for both 2.4GHz and 5GHz, each with own VLAN?

Thanks for any help in advance!

Here are configurations (that I were able to export or write down on my own; plain exported files from switch and AP had no exact configuration other than NTP client):
router.rsc (5.09 KB)
ap.rsc (516 Bytes)
switch.rsc (1.29 KB)
Also attaching designated network diagram, as reference of whole idea.

First, the bridge on the router should have VLAN filtering enabled:

/interface bridge
add name=bridge port-cost-mode=short

Change to:

/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes

Can continue on all other parts (accesspoint at least), but you should first start reading and applying the “bible on VLAN” topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I can help without capsman… which I loathe for the complexity it brings to the config and the gazillions lines of code required.

Basically each device uses one bridge.
The Ap and Switch get a trunk port from the router and distribute the vlans as necessary. In your case trunk from switch to capac and also to tplink smart switch.
So MT switch has three trunk ports!
Each smart device ( ap and switch) should get its LANIP via IP address and on the trusted or management vlan.
This is the only vlan that needs to be identified to the bridge.
No wan or lan just a TRUSTED interface list entry on the ap and switch.

As for capac one creates virtual WLANS, typical is one virtual 5ghz and one virtual 2ghz so four WLANs at the end of the day.
Each can be associated with vlans as you see fit ( assigned via interface bridge ports and interface bridge vlans ).

Once you have done an initial stab using the great link from erlinden, (not to be confused with the great erlinden, thats a famous magician long dead) then post all three configs here for review and assistance.
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys etc. )

PS. Nice diagram!!

To get you started on cap…

Note the first thing I do is use the second etherport as an emergency access port and a CONFIG port when initially setting up the router.
Trust me, it will save you much grief as working with bridges and vlans can be frustrating trying to do it from a port on the bridge…

Add an IP address to ether2 192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
Add the interface to the single interface list (MGMT).
Then all you need to do is plug the laptop into ether2 change IPV4 settings to 192.168.55.2 on the laptop and you will have access.
I ensure any capac install, after the initial install and going to physically place it in a location that is too hard to reach (by directly plugging in an ethernet cable ex low ceiling) I run a second cable to a location that I can plug the other end into a laptop - not necessarily back to the patch panel but any location closet, storeroom etc… ).

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=no ( Change to YES as last step )
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface vlan
add interface=bridge name=mgmtVLAN vlan-id=5
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=“”
mode=dynamic-keys name=media_Security
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=“”
mode=dynamic-keys name=trusted_Security
add authentication-types=wpa2-psk eap-methods=“”
mode=dynamic-keys name=iot_Security
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=“”
mode=dynamic-keys name=guest_Security
/interface wireless
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5 band=5ghz-a/n/ac
channel-width=20/40mhz-Ce country=Schapps disabled=no frequency=5220
guard-interval=long mode=ap-bridge name=trustedWLan security-profile=
trusted_Security skip-dfs-channels=all ssid=Home-Users wireless-protocol=802.11
wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5 band=2ghz-g/n
basic-rates-b=“” country=Schnapps frequency=2437 guard-interval=long mode=
ap-bridge name=mediaWlan rate-set=configured security-profile=
media_Security skip-dfs-channels=all ssid=Entertainment supported-rates-b=
11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address= master-interface=trustedWLan
multicast-buffering=disabled name=guestWLAN security-profile=
guest_Security ssid=Guests wds-cost-range=0 wds-default-cost=0 wmm-support=enabled
wps-mode=disabled
add keepalive-frames=disabled mac-address= master-interface=mediaWlan
multicast-buffering=disabled name=iotWLAN security-profile=
iot_Security ssid=iotDevices wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment=“trunk from switch”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=trustedWLan pvid=30
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=guestWLAN pvid=31
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=32
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=iotWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list members
add interface=mgmtVLAN list=MGMT
add interface=OffBridge2 list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=5
add bridge=bridge tagged=ether1 untagged=trustedWlan vlan-ids=30
add bridge=bridge tagged=ether1 untagged=guestWLAN vlan-ids=31
add bridge=bridge tagged=ether1 untagged=mediaWlan vlan-ids=32
add bridge=bridge tagged=ether1 untagged=iotWLAN vlan-ids=40
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=mgmtVLAN list=MGMT
add interface=OffBridge2 list=MGMT
/ip address
add address=10.64.0.X/24 interface=mgmtVlan network=10.64.0.0
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dns
servers=10.64.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.64.0.1
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.64.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Thanks for input! Sadly enabling vlan filtering on router shuts down my entire network
I've read up a little in "VLAN bible" beforehand, but since config were based on ROS6 I've tried my best to adapt it, alongside my basic understanding (and few youtube videos watched before getting Mikrotik gear)

Thanks; yeah, I'm not fan of using CAPsMAN at this stage, since I'm 100% certain this won't get another AP for next 4 or 5 years

Here's export of most recent setup, which seems to still not work - when VLAN filtering is enabled on R5009 bridge, no network connection can be made. Or maybe I'm just missing firewall rules?
Also, when VLAN filtering is on on switch but disabled on router, AP users still cannot obtain IP address from DHCP - but PCs connected to ether1/2 can.
switch-21102024.rsc (1.79 KB)
router-21102024.rsc (5.44 KB)
ap-21102024.rsc (2.72 KB)

Thanks; tried my best

Still you need to learn basic VLAN setup. @anav did an incredible job in his reply to this post. You missed all the relevant stuff (/interface /bridge/port and /interface/bridge/vlan) and misconfigured /interface/vlan. Compare your config with the example of @anav, specifically on my mentioned parts.

To the point, safely do your CONFIGURING OFF THE BRIDGE as I explained it aka on the MT switch, router and ap.

Remove the interface bridge filtering entry, thats for advanced use only…
Do the config from port 8!!! put 192.168.88.2 in ipv4 settings on laptop.

# 2024-10-21 18:45:32 by RouterOS 7.16.1
#
# model = CRS310-8G+2S+
#
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=no { change to YES as last step }
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] name=OffBridge8
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add comment=Management interface=bridge name=vlan-mgmt vlan-id=5
/interface list
add name=MGMT
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 comment="trunk to R5009" 
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and-priority-tagged interface=ether1 pvid=10 comment=PC1
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and-priority-tagged interface=ether2 pvid=10 comment=PC2
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3 comment="Lab Switch"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 comment="Trunk to AP"
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether3,ether4 vlan-ids=5
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,ether3 vlan-ids=20,21,22
add bridge=bridge tagged=sfp-sfpplus1,ether4 vlan-ids=30,31,32,40
/ip address
add address=10.64.0.2/24 comment=Management interface=vlan-mgmt network=\
    10.64.0.0
add address=192.168.88.1/30 interface=OffBridge8 network=192.168.88.0
/interface list members
add interface=vlan-mgmt list=MGMT
add interface=OffBridge8 list=MGMT
/ipv6 settings
set disable-ipv6=yes
/ip dns
servers=10.64.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.64.0.1
/system clock
set time-zone-name=shnapps
/system identity
set name=CRS310
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.64.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool romon
set enabled=yes

You have two example now.
Hints for router.

• All the vlanIDs require bridge tagging (usually).
• Use ALL VLANS, dont ask the bridge to do any dhcp. if you have and use a bridge subnet just change that to a vlan any number (not 1), very minor and quick changes to do this;.
• use off bridge approach for initial config ( is that what your debug port 2 is intended for ??)
• Do you have a public IP address or the upstream router does and can port forward…if so then use wireugard to configure router remotely and forget about ssh.
  -firewall rules generally suck at this point.