Multiple Isolated Wifi networks on a wired AP bridge

Hi all,

First of all sorry for my basic question but I´m really a noob when it comes to networking, not limited but also especially with Mikrotiks.

Situation is as follows:

  • I have a HAP ax3 acting as my main router. It provides 3 Wifi networks which are isolated from each other (private, guest and IOT).
  • It took me hours and reading through a lot of tutorials to get this going and there is for sure room for improvement but it works.
  • I bought a HAP ax lite as a wired AP bridge. Using a simple bridge setup I´m able to extend my main Wifi (private) just fine.
  • I fail to extend my other 2 Wifi networks as I´m not sure how to get this done. I guess I need additional bridges, similiar to the main router setup and configuration of additional DHCP clients getting IPs from the main router…unfortunately I can´t get this to work at all.

Here the configuration from my HAP ax lite (ap bridge). As said the main Wifi (private) is working ok, problems exists with other Wifi networks (e.g. tried guest so far).
I guess it´s related to VLAN tagging, do I need that if I have different bridges?

# 2023-12-28 13:15:46 by RouterOS 7.13
# software id = 3638-CNQF
#
# model = L41G-2axD
# serial number = XXXX
/interface bridge
add name=bridge_Guest
add name=bridge_LAN port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Germany .mode=ap .ssid=\
    wired disabled=no name=2GHz_wired security.authentication-types=\
    wpa2-psk,wpa3-psk .wps=disable
add configuration.mode=ap .ssid=wired_guest disabled=no mac-address=\
    7A:9A:18:15:D3:16 master-interface=2GHz_wired mtu=1500 name=2GHz_guest \
    security.authentication-types=wpa2-psk,wpa3-psk
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_LAN interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=2GHz_wired
add bridge=bridge_LAN interface=2GHz_guest pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.66.3/24 interface=bridge_LAN network=192.168.66.0
add address=192.168.71.99/24 interface=bridge_Guest network=192.168.71.0
/ip dhcp-client
add add-default-route=no interface=bridge_Guest
add add-default-route=no interface=bridge_LAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.66.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=wired_AP
/system note
set show-at-login=no

Thanks for your patience and diligence.

There is no need to use multiple bridges when using vlan.
Not on main router nor on wired AP.
One is enough.

See this excellent guide how to setup VLANs properly.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Read it, digest it, read it again.
Then apply.
You need setups for router/AP combo and AP.

Basically you need a trunk port between router and AP, AP will then be able to use all VLAN tags presented via trunk.

For the secondary device acting as an AP/switch follow this advice.
https://forum.mikrotik.com/viewtopic.php?t=182276

Hi all,
Sorry for reactivating such a old thread and thanks holvoetn and anav. The posted guide is in fact a very good starting point.
I have setup my main router accordingly to the Router/Switch setup and all is now properly separated using VLANs on a single bridge. This is working like a charm.

When it comes to connecting the AP (hap ax lite) I´m still a bit confused I have to say.
I followed the AP instructions in the same referred thread with the small difference that I also added in the physical ports besides the Wifi networks.
Currently I fail to really have the networks forwarded on the AP (no internet access).
Secondly I would like to reach the AP under 192.168.66.3 which I made static for the AP on the main router. This doesn´t work and when I apply the config I´m unable to connect to the AP again causing me to need to perform a reset.

I think it´s not much going wrong here but having a hard time finding the solution.
For you guys this is for sure quite obvious. Any help would therefore be greatly appreciated.


My dummy config based on the provided example looks like this.

# name the device being configured
/system identity set name="wired_AP"
#######################################
# VLAN Overview
#######################################
# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################

# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=1-wifi-2GHz ] ssid=wired frequency=auto mode=ap-bridge disabled=no

# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=2-wifi-2GHz_guest ssid=wired_guest master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no

# Red SSID
/interface wireless security-profiles add name=RED_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=3-wifi-2GHz_IOT ssid=wiot master-interface=wlan1 security-profile=RED_PROFILE disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge_LAN protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Blue, Green, Red VLAN
add bridge=bridge_LAN interface=1-wifi-2GHz pvid=10
add bridge=bridge_LAN interface=2-wifi-2GHz_guest pvid=20
add bridge=bridge_LAN interface=3-wifi-2GHz_IOT pvid=30
add bridge=bridge_LAN interface=ether2 pvid=10
add bridge=bridge_LAN interface=ether3 pvid=10
add bridge=bridge_LAN interface=ether4 pvid=10

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=bridge_LAN interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=bridge_LAN tagged=ether1 vlan-ids=10
add bridge=bridge_LAN tagged=ether1 vlan-ids=20
add bridge=bridge_LAN tagged=ether1 vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether1 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=bridge_LAN name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN

/ip address add address=192.168.66.3/24 interface=bridge_LAN network=192.168.66.0

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.66.1


#######################################
# IP Services
#######################################

# As in the example nothing configured but is this really the way to go? 


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=1-wifi-2GHz]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=2-wifi-2GHz_guest]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=3-wifi-2GHz_IOT]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge_LAN vlan-filtering=yes

You have a godawful way of showing a config LOL… I tell that to pcunite all the time :wink:
Bridge does not get an address… the IP address of the device is the address given via the management base vlan.
I recommend making one port access to config the device OFF the bridge… works well.

/interface bridge
add ingress-filtering=no name=bridge_LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=trunk
set [ find default-name=ether4 ] name=emergaccess
/interface vlan
add interface=bridge_LAN  name=BASE_VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless
{ as required }
/interface bridge port
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=trunk
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=1-wifi-2GHz pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=2-wifi-2GHz_guest pvid=20
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=3-wifi-2GHz_IOT pvid=30
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge_LAN tagged=ether1  untagged=ether2,ether3,1-wifi-2GHz  vlan-ids=10
add bridge=bridge_LAN tagged=ether1  untagged=2-wifi-2GHz_guest  vlan-ids=20
add bridge=bridge_LAN tagged=ether1  untagged=3-wifi-2GHz_IOT  vlan-ids=30
add bridge=bridge_LAN tagged=ether1,bridge_LAN  vlan-ids=99
/interface list member
add interface=BASE_VLAN list=BASE
add interface=emergaccess list=BASE
/ip address
add address=192.168.0.3/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether4 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.0.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Hi anav,
You are so damn fast in answering! Very much appreciated!
This helped a lot, I got the AP to work and all 3 Wifi networks are working fine now.
One thing which I´m having a hard time to understand is the emergency access and generally the AP access via Winbox.

Please correct me if I´m wrong but with this setup the idea is that you only can connect via Winbox on the emergency access port (ether4) via MAC, correct?
I cannot manage to connect to the AP from … lets say the private VLAN (pvid 10). Also the AP itself doesn´t seem to have any internet access. I cannot ping the outside world nor can I check for RouterOS updates. Not quite sure if that is intended. Not quite sure I got the vlan tagging correct or maybe the ip adressing part is missing something.

Thanks for your continious help!

Sounds like you may have some errors. but not sure.
Post your latest config for review…

In terms of access to the AP, you should be able to from any PC on the main router, on the 99 network, access the AP via winbox.
If you had a port on the AP (access port) for vlan99 that would also work, however, its better to use an off bridge port.

Most of the pain in the butt happens when you screw something during bridge vlan configuration and its easy to get locked out and start from scratch. Then you would not be able to access from the main router management subnet, nor a local port assigned to vlan99.
Much safer to config from or have an emerg access via an off bridge port.

So you only set the address, take the port off the bridge and then plug in your laptop to that port.
Change your IPV4 settings appropriately and bobs your uncle.

Ahh while looking just found that there is indeed still a bigger problem. I forgot to turn vlan filtering on the bridge on (typically I do that at the end to be not cut off during configuration). Now after I did that the internet access on the WIfi networks is gone again :frowning:
So yes quite sure something is not as it should be. Potentially also a problem on my main router as that config is a bit clunky as it has been grown over time.

MainRouter:
mainrouter.rsc (12 KB)
AP Config (really based on your correction) - without the unneccesary commenting :wink:
AP.rsc (2.83 KB)
Thanks for your time!

  1. I see nothing wrong with the AP…

  2. Oops you have main router errors showing, the question here is why do you have bridge filters at all? Remove for now please.
    /interface bridge filter
    # no interface
    add action=drop chain=forward in-interface=*9
    # no interface
    add action=drop chain=forward out-interface=*9
    # no interface
    add action=drop chain=forward in-interface=*A
    # no interface
    add action=drop chain=forward out-interface=*A

  3. Should be set to BASE
    /ip neighbor discovery-settings
    set discover-interface-list=VLAN

  4. There appears to be no trunk port to the AP??? as evidenced by the /interface bridge port settings ???

  5. The /interface bridge vlan settings provide no clues as to what is going on.

  6. Set detect internet interface=NONE

  7. Simplify (when using all vlans, bridge is not a list member )

/interface list
add name=WAN
add name=LAN
add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=private_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=guest_VLAN list=LAN
add interface=iot_VLAN list=LAN
add interface=wireguardVPN list=LAN

add interface=BASE_VLAN list=BASE
add interface=wireguardVPN list=BASE
{ to allow admin remote access to config router if necessary )

  1. If you manually added netmask to this address line, remove it!
    add address=192.168.66.0/24 comment=defconf dns-server=192.168.0.1 gateway=
    192.168.66.1 netmask=24

  2. Remove this static DNS setting!!!
    /ip dns static
    add address=192.168.66.1 comment=defconf disabled=yes name=router.lan

  3. Firewall rules adjusted
    /ip firewall address-list ( using static dhcp leases for local addresses }
    add address=192.168.0.A/32 list=Authorized comment=“admin local desktop wired”
    add address=192.168.0.B/32 list=Authorized comment=“admin local laptop wired”
    add address=192.168.70.X/32 list=Authorized comment=“admin remote wg laptop”
    add address=192.168.70.Y/32 list=Authorized comment=“admin remote wg smartphone/ipad”
    add address=192.168.36.2/32 list=Authorized comment=“admin on AP”

/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related, Untracked”
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“wireguard handshake pderDfels” dst-port=13231 protocol=udp
add action=accept chain=input comment=“wireguard handshake VPN” dst-port=51820 protocol=udp
add action=accept chain=input comment=“Admin Access” in-interface-list=BASE src-address-list=Authorized
add action=accept chain=input comment=“user access to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“user access to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else”
{ add this very last or you may lock yourself out}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“Admin to subnets” in-interface-list=BASE src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”

Note1: If you want to be able to access router and AP from private subnet,

  • add private subnet vlan10? to the BASE interface list
  • add ip addresses for admin to the source address list Authorized

Note2: It is not clear what the role of the other wireguard VPN is…so left it out of firewall rules
Once detailed, it will be easy to make adjustments.

  1. Add route for admin on AP…
    add dst-address=192.168.36.2 gateway=192.168.0.3 routing-table=main

  2. MISSING wireguard allowed IP setttings??? or am I blind?

Hi anav,

Thanks for the detailed response. I just recognized yesterday, actually before your reply that I haven´t configured a trunk (dumb).
A lot of the other garbage still in is from refactoring the main router from the initial multiple bridge based setup to VLAN. Maybe I should have started from scratch instead.

Let me try to go through one by one:

  • Thanks to you the AP is so far ok.
  • Bridge filters are removed. Indeed a leftover.
  • Done
  • Trunk port (ether2) was indeed missing as was added now. I hope I did that in the correct manner.
  • Ok does this look better now in the new export?
  • Ok deactivated. This actually comes from using the Mikrotik Android app to access the device config. Seems I activated it there by accident.
  • Simplification completed. Makes sense to remove the bridge
  • Hey good catch, removed netmask from address.
  • Mhh I´m honestly not sure where this is coming from. I use Cisco OpenDNS to block down access to certain internet categories. In order to not allow users to simply change their DNS manually I tried something, maybe this is it. I cannot remember. I anyway do that via NAT.
  • Firewall rules cleaned. Are all the other rules I have not of value anymore (I refer to the currently disabled ones)?
    Note1: Ok I added private_VLAN (10) to the BASE interface list. I also added one IP address to the Authorized list. In order to make sure this address stays the same I just went to DHCP Server and made the lease address static.
    Note2: The first wireguard is for a roadwarrior setup. The other wireguard is a site2site setup which should be up and running permanently. This was working fine in the past. I think to get this enabled I just add the wireguard to the LAN interface list, correct?
  • Ok will add that on the AP.
  • Indeed I removed that from the config with some other scripts and schedules on the router but its there in the new export.

mainrouter.rsc (20.6 KB)

Looks much better!

  1. Set to NONE mac-server by itself is not a secure protocol
    /tool mac-server
    set allowed-interface-list=BASE
    /tool mac-server mac-winbox
    set allowed-interface-list=BASE

  2. Modify router to remote router subnet TO:
    /ip route
    add dst-address=192.168.178.0/24 gateway=wireguard_perDfels routing-table=main

  3. Now lets look at bridge ports and bridge vlans :slight_smile:
    Ports looks okay, modify /interface bridge vlans to: { i prefer manual entry of untagged both are valid, but this way I can cross check with bridge ports to see if both line up )

/interface bridge vlan
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=ether3,ether4,1-wifi5Ghz,2-wifi2GHz vlan-ids=10
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=4-wifi2GHz_Guest vlan-ids=20
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=5k-wifi2GHz_IOT vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=ether5 vlan-ids=99

  1. Since you are proving NTP from the router adjust this rule!!
    add action=accept chain=input comment=“user access to services” dst-port=53,123
    in-interface-list=LAN protocol=udp

Thread is no longer available.

Got to this forum as I have a co-worker who is a fan of mikrotik and keeps recommening it.

I’m also considering a router and an aditional AP for the second floor, but want to configure a vlan for IOT devices and I want the adiciotnal AP to replicagte the riginal SSID/Vlans

Btw if someone cares to recommend hw for this, that would be great. If possible something with wifi6 to make a bit more future proof.

Thanks

All you require is included in this thread, unless using capsman and thus its slightly different.
So have at it. When you have a working config or close to working config and need help just ask.

@jmpaiva: I guess you can just have a look at my latest config to get a good understanding on how it would like in your setup. There are a few small issues still but it´s a good start.
For devices it really depends on what you need, there are quite a lot of devices from Mikrotik. I decided on a HAP ax3 as my main router and a HAP ax lite as Access Point. Especially for the ax lite there are certainly better devices when it comes to WiFi coverage but it´s sufficient for me. Can´t expect much more for such a cheap device.

@anav: I implemented the latest proposed changes and understand that it´s better to add the untagged interfaces manually for clearness. NTP started working now as well. :slight_smile:
One major problem is still around. I don´t have internet access on the AP wifi networks. The AP itself has internet access when accessed via the off bridge port.
If connecting to the wifi networks it seems like I don´t get a proper IP from the DHCP server pools but I can´t identify any problems there. Maybe I also srewed some of the tagging up. Really unsure. There are no changes to the config I uploaded yesterday, except the latest ones you posted. Pretty sure it´s a small and stupid problem. :frowning:

HI dead, you know the drill, post both latest configs for main router and AP, we will find the issue! :slight_smile:

Hi anav,
Really stuck currently, likely very easy.
Here are the mainrouter and ap configs.
mainrouter.rsc (19.4 KB)
ap.rsc (2.99 KB)
Thanks a lot! I owe you multiple drinks.

AP

You added an extra route here, but it should not cause any failures…should be removed.
/ip route
add comment=“ensures route avail through trusted subnet gateway” disabled=no
dst-address=0.0.0.0/0 gateway=192.168.0.1
add disabled=no dst-address=192.168.36.2/32 gateway=192.168.0.3
routing-table=main suppress-hw-offload=no

Other than that I cannot spot anything on the AP.

ROUTER

Could not spot anything on the main router either! :frowning:

TRY rebooting both routers.

Hi anav,
Ok removed the route and rebooted both units. Nothing changed. Still no correct DHCP assignment on any Wifi network from the AP.
I´ll try to have another close look tomorrow.

Thanks,
Nils

Are you hapoy with the ax3? I hear some People compaining about the wifi