Hello All,

We are trying to set-up cAP AC AP’s, but we are running into problems with VLAN’s. I’ve used different tutorials online but at the end none of them helped.
The setup is as following:

The problem that we are getting is that when connecting with the Virtual SSID we don’t get a IP-address from the DHCP servers (runs on the ASA).
And after some time our internal network will have problems because of the bridged created (package drop)

I’ve tried the following tutorials:

• https://blog.ligos.net/2018-01-01/Mikrotik-WiFi-Access-Point-With-VLAN.html (till routing setup)
• https://www.marthur.com/networking/mikrotik-setup-guest-vlan-wifi/2582/
• https://www.virtualizationhowto.com/2015/12/mikrotik-setup-multiple-virtual-aps-vlans/

Post the whole of current cAP’s config (run /export hide-sensitive in terminal window and copy-paste result into [ code] environment).

model = RBcAPGi-5acD2nD

/interface bridge
add name=BRIDGE-100
add name=BRIDGE-400
add admin-mac=74:4D:28:65:72:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=
MikroTik-657224 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=
MikroTik-657225 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=VLAN-1-MAIN vlan-id=1
add interface=ether1 name=VLAN-100-GAST use-service-tag=yes vlan-id=100
add interface=ether1 name=VLAN-400-DEVELOPMENT use-service-tag=yes vlan-id=400
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:25
master-interface=wlan2 multicast-buffering=disabled name=VWAL-1-5GHZ ssid=
VerjoSecure wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:29
master-interface=wlan2 multicast-buffering=disabled name=VWAL-400-5GHZ
ssid=VerjoDevelopment vlan-id=400 vlan-mode=use-tag wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed
mode=dynamic-keys name=SP-1-MAIN supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed
mode=dynamic-keys name=SP-100-GAST supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed
mode=dynamic-keys name=SP-400-DEVELOPMENT supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:24
master-interface=wlan1 multicast-buffering=disabled name=VWAL-1-2GHZ
security-profile=SP-1-MAIN ssid=VerjoSecure wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:26
master-interface=wlan1 multicast-buffering=disabled name=VWAL-100-2GHZ
security-profile=SP-100-GAST ssid=VerjoGast vlan-id=100 vlan-mode=use-tag
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:27
master-interface=wlan2 multicast-buffering=disabled name=VWAL-100-5GHZ
security-profile=SP-100-GAST ssid=VerjoGast vlan-id=100 wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:65:72:28
master-interface=wlan1 multicast-buffering=disabled name=VWAL-400-2GHZ
security-profile=SP-400-DEVELOPMENT ssid=VerjoDevelopment vlan-id=400
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=BRIDGE-100 interface=VWAL-100-5GHZ
add bridge=BRIDGE-100 interface=VWAL-100-2GHZ
add bridge=BRIDGE-100 interface=VLAN-100-GAST
add bridge=BRIDGE-400 interface=VWAL-400-5GHZ
add bridge=BRIDGE-400 interface=VWAL-400-2GHZ
add bridge=BRIDGE-400 interface=VLAN-400-DEVELOPMENT
/ip address
add address=10.1.10.1/24 disabled=yes interface=ether1 network=10.1.10.0
add address=10.1.40.1/24 disabled=yes interface=ether1 network=10.1.40.0
add address=10.52.72.1/24 disabled=yes interface=ether1 network=10.52.72.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "

Not sure why you need two bridges as vlans are vlans and dont need extra bridge separation.
However the bigger issue may be that you dont use the bridge interface when defining the vlans.

How bout you have a good review of this resource, change your config accordingly and then post back with further inquiries.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

This one may also provide some benefit as a secondary source.
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

There are a few more or less serious flaws in the config. So I’m with @anav: read (and understand) tutorial in his first link. After you reconfigure cAP according to that tutorial and if it still doesn’t work right, come back and we’ll try to help.

Thank you both for the reply. I’ll try your idea’s on Monday. Have a good weekend

~ Loran

Good plan, do come back and let us know how it goes. The “A” team comprised of Jekkyl (me) and the evil My Hyde (mkx) are here to help!