Hi everyone,
I am not familiar with routers so sorry for the simple question but i will need a little help. I recently bought a mikrotik router hap ac and a mikrotik switch rb260gsp, and obviously i m becoming a minor mikrotik shareholder because i plan to buy another mikrotik to extend the wifi coverage. So the last 2 weeks i read many mikrotik articles and posts and somehow managed to configure the router myself thanks to the user-friendly mikrotik guides and OS. Now I run pppoe-client on sfp1 (WAN), bridge1 on eth2 and eth3(LAN) (not in bridge with other), addresses 192.168.10.1/24, dhcp1 server on bridge1, gateway 192.168.10.1, dns- same, firewall and etc is ok. i wanted to separate wifi network from LAN and configured bridge 2 only with wlan1 and wlan2, separate dhcp2 on bridge2, addresses 192.168.11.1/24, gateway 192.168.11.1, dns-192.168.11.1 and 192.168.10.1. IP routes says both networks are reachable. But no connection on wifi network with internet. When i move wlan1 to bridge1 no problems. Obviously i m wrong somewhere.

Thanks in advance.

You need to check what exactly happens. Do devices get IP addresses? If they do, then it’s either firewall filter (you need to allow access from bridge2 to internet) or srcnat (I don’t remember what exactly is covered by default rule).

Thanks for the reply.
The devices get ip from dhcp2, and get registered in wireless interface, but no internet access. I have srcnat masquerade on wan (outgoing) only. Tommorow i wil post firewall settings…

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 pppoe-out1 1
1 ADC 172.16.100.50/32 81.17.88.25 pppoe-out1 0
2 ADC 192.168.10.0/24 192.168.10.1 bridge1_LAN 0
3 ADC 192.168.11.0/24 192.168.11.1 bridge2_WiFi 0

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; AcceptEstablishedRelated
chain=input action=accept connection-state=established,related log=no log-prefix=""

2 ;;; DropInvalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

3 X ;;; AcceptICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

4 ;;; DropAllNotComingFromLAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

5 ;;; DropInvalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

6 ;;; AcceptEstablishedRelated
chain=forward action=accept connection-state=established,related log=no log-prefix=""

7 ;;; DropIncomingFromInternetWhichNotPublicIP
chain=forward action=drop src-address-list=not_in_internet in-interface=pppoe-out1 log=yes log-prefix="!public"

8 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1

9 ;;; Drop incoming packets that are not NATted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1 log=yes log-prefix="!NAT"

10 ;;; AcceptInIPSECpolicy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec

11 ;;; AcceptOutIPSECpolicy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec

12 ;;; Fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

13 ;;; AllowAccessToRouterFromBridge1
chain=input action=accept src-address-list=allowed_to_router log=no log-prefix=""

14 ;;; DropAllOtherTrafficToRouter
chain=input action=drop log=no log-prefix=""

/ip firewall address-list print
allowed_to_router 192.168.10.1-192.168.10.254
not_in_internet- lists from the manual for securing your router

There is nothing blocking access from bridge2_WiFi to internet. So is there really no internet access, or just regular web browsing doesn’t work? Because the latter can easily happen even with full internet access available. In this case it could be problem with DNS, if you don’t have bridge2_WiFi in LAN interface list, DNS queries will be blocked by rule #4.

Thank you so much Sob,
I found it. You are right, i forgot to put bridge2_wifi in LAN interface list. Now everything works.
Thanks again and have a nice day!