On my router (hAP ac^2) with RouterOS v6.47 I’m using all ports as gateways for independent LANs.
For this I removed the default bridge and made each port a gateway of its LAN, ie like this:

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.254.253/24 192.168.254.0 ether1
1 192.168.127.254/17 192.168.0.0 ether2
2 192.168.128.254/24 192.168.128.0 ether3
3 192.168.129.254/24 192.168.129.0 ether4
4 192.168.131.254/24 192.168.131.0 ether5
5 192.168.132.254/24 192.168.132.0 wlan1
6 192.168.133.254/24 192.168.133.0 wlan2

>

NAT is not used on this router (ie. is disabled). ether1 goes to the uplink (WAN). The system has created default/automatic routes for the above addresses.
Each etherX port has a switch attached to it, to which the clients of that LAN are attached.
For ether1 to ether5 everything works perfect as all clients in them can ping each other client in any of the other LANs,

A problem arises with the wireless interfaces wlan1 and wlan2: here only their gateway IPs (.132.254 and .133.254 above) can be pinged from etherX, but not the clients in them. The wlan clients have correct IPs in their respective LAN.

What's the reason for this different (illogical) behavior, and how to fix that?

If clients connected to wlan1 or wlan2 have this router (i.e. 192.168.132.254 or 192.168.133.254) as default gateway (or have routes to other subnets) and they answer pings from these subnets (it’s not blocked by their firewalls), this tiny piece of config doesn’t explain why it shouldn’t work.

Good point.
The client I tested this belongs to ether5’s LAN (ie. has IP 192.168.131.3 and GW 192.168.131.254).
Shouldn’t it still function, since the router knows all the routes?
As said: with etherX it works, but why not with wlanX?

That’s how IP subnets work. If you connect device with address 192.168.131.3 to any other interface than ether5, it can’t work, because as the router sees it, any 192.168.131.x is connected to ether5 and it won’t look for it anywhere else. Also, device looking for 192.168.131.254 won’t succeed on any other interface than ether5.

You are talking the obvious. Of course is 192.168.131.3 connected to ether5, what else.

I even tried an explicit route on that Linux client, but it still doesn’t work:

route add -net 192.168.133.0 gw 192.168.131.254 netmask 255.255.255.0 dev eth0

route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.131.254 0.0.0.0 UG 0 0 0 eth0
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.133.0 192.168.131.254 255.255.255.0 UG 0 0 0 eth0

>

Since etherX to etherY works w/o doing anything else, I conclude that it must be a problem with on how ROS internally handles the wlanX interfaces (ie. different than how it handles the etherX interfaces).

Ok, sorry, then it was a misundertanding, I thought you connected it to wlan1 or wlan2. If not, then check the same for devices connected to wlan1 or wlan2. They must have 192.168.132.x/24 and gw 192.168.132.254, or 192.168.133.x/24 and gw 192.168.133.254, and if they have own firewalls, they must allow pings from other subnet. And of course firewall on router, if there is some, must not block it either.

I could achieve only a partial solution which allows to ping/connect to the wlan-client only from the WAN-side (ether1).
For this to work I had to do these steps:
1.) Create a bridge “bridge1” and put WAN, (ether1), wlan1, wlan2 into it.
2.) Create an IP Pool for the DHCP Server with an IP range from the WAN-side (ie. here for testing 192.168.254.10-192.168.254.19).
3.) Assign that IP Pool to a/the DHCP Server. Its Interface must be “bridge1”.
4.) Removed the gateway addresses #5 and #6 for the wlanX in initial posting.

With the above setup one gets:

• wlan1 and wlan2 are working
• wlan clients have Internet access
• wlan clients do not have access to other clients in the other LANs (ether2..ether5)
• wlan clients can be reached only from the WAN-side (192.168.254.x)

[“WAN-side” here means that there is another router in front of this above router]

Your latest post indicates that indeed it’s what @sob wrote:

… and if they have own firewalls, they must allow pings from other subnet.

There is no firewall issue. As already said: etherX to etherY works w/o any problems with just default/automatic routing settings on the router, and firewall on clients is not activated.
It is that routing of wlanX behaves differently than routing of etherX.
I just had expected (ie. wanted to have) the same routing behavior regardless of the type of the interface (etherX, wlanX).

Is there perhaps anything else you have in your config? Maybe posting the whole thing could help. Because none of the routers I have ever seen cared whether inteterface is ether or wlan, and I don’t see why there should be any difference.

or to continue … Can a wlan1 device be pinged from the router itself or from another wlan1 device?
And of course the reverse route must exist in the wlan1 device with router as gateway.

Pinging wlan clients from all devices connected to the same subnet on ether1 (ie. 192.168.254.x) works, as well pinging from inside the router itself (via “/ping …”, s.b.).
Only thing that is not working is pinging the wlan clients from ether2..ether5 (ie. from different LANs).
The funny thing is, as said: with etherX to etherY it works w/o doing anything else like setting explicit routes on the clients or so (they just use their gateway and default routes).
Tomorrow I’ll have more time to test these issues further.

[admin2@MikroTik-AP] > /interface wireless monitor wlan1 once
status: running-ap
channel: 2452/20-Ce/gn(17dBm)
wireless-protocol: 802.11
noise-floor: -99dBm
overall-tx-ccq: 94%
registered-clients: 1
authenticated-clients: 1
wmm-enabled: yes
current-tx-powers: 1Mbps:0(0/0),2Mbps:0(0/0),5.5Mbps:0(0/0),11Mbps:0(0/0),6Mbps:0(0/0),9Mbps:0(0/0),12Mbps:0(0/0),18Mbps:0(0/0),24Mbps:0(0/0),36Mbps:0(0/0),48Mbps:0(0/0),
54Mbps:0(0/0),HT20-0:0(0/0),HT20-1:0(0/0),HT20-2:0(0/0),HT20-3:0(0/0),HT20-4:0(0/0),HT20-5:0(0/0),HT20-6:0(0/0),HT20-7:0(0/0),HT40-0:0(0/0),HT40-1:0(0/0),
HT40-2:0(0/0),HT40-3:0(0/0),HT40-4:0(0/0),HT40-5:0(0/0),HT40-6:0(0/0),HT40-7:0(0/0)
notify-external-fdb: no

[admin2@MikroTik-AP] > /ip dhcp-server lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked

ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS LAST-SEEN

0 D 192.168.254.14 XX:XX:XX:XX:XX:XX android-XXXXXXXXX defconf bound 3m6s

[admin2@MikroTik-AP] > /ping 192.168.254.14
SEQ HOST SIZE TTL TIME STATUS
0 192.168.254.14 56 64 250ms
1 192.168.254.14 56 64 47ms
2 192.168.254.14 56 64 77ms
3 192.168.254.14 56 64 98ms
4 192.168.254.14 56 64 126ms
sent=5 received=5 packet-loss=0% min-rtt=47ms avg-rtt=119ms max-rtt=250ms

>

Below is the “/export hide-sensitive file=export-hs”.
The config is not fully configured yet (esp. firewall/security). And there are some unused/disabled/experimental stuff in it, for example the dhcp pool132, pool133, pool134 stuff. This router is not directly connected to the Internet: it just connects to an uplink router here, ie it’s in a safe test environment inside the LAN, so security is not that much concern for the moment.

Let me know if you find something that could explain the problem of wlanX not being pingable from ether2..ether5, whereas ping from etherX to etherY works fine, as well ping from ether1 to wlanX. Btw, adding also LAN (ether2..ether5) to the bridge is NOT a solution, as then other things start stopping to work, like Internet access). Best would be to get rid of the bridge completely, but then wlan does not function as then wlan clients cannot connect to the AP; it seems the use of a bridge is mandatory with wlan interfaces.
.

jun/17/2020 16:53:03 by RouterOS 6.47

software id = I2LK-MU5N

model = RBD52G-5HacD2HnD

serial number = XXXXXXXX

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country=germany disabled=no distance=indoors frequency=auto mode=
ap-bridge ssid=MTAP2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=
auto mode=ap-bridge ssid=MTAP5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=
dynamic-keys name=profile_g2 supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.254.10-192.168.254.19
add name=pool132 ranges=192.168.132.10-192.168.132.19
add name=pool133 ranges=192.168.133.10-192.168.133.19
add name=pool134 ranges=192.168.134.10-192.168.134.19
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
add address-pool=pool132 interface=wlan1 name=dhcp-wlan1-pool132
add address-pool=pool133 interface=wlan2 name=dhcp-wlan2-pool133
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none
stop-bits=1
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none
stop-bits=1
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=bridge1 interface=WAN trusted=yes
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=WAN
add interface=wlan1 list=WAN
/ip address
add address=192.168.254.253/24 interface=ether1 network=192.168.254.0
add address=192.168.127.254/17 interface=ether2 network=192.168.0.0
add address=192.168.128.254/24 interface=ether3 network=192.168.128.0
add address=192.168.129.254/24 interface=ether4 network=192.168.129.0
add address=192.168.131.254/24 interface=ether5 network=192.168.131.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=192.168.254.254
/ip dns static
add address=192.168.131.254 name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward disabled=yes icmp-options=8:0 limit=3,10:packet
packet-size=93-65535 protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.254.253 dst-port=8458
protocol=tcp to-addresses=192.168.20.1 to-ports=8458
/ip route
add distance=1 gateway=192.168.254.254
add distance=1 dst-address=192.168.130.0/24 gateway=192.168.129.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-AP
/system ntp client
set enabled=yes primary-ntp=192.168.254.254

>

I don’t see addresses to be assigned to wlan1 and wlan2.

…also networks are not defined for you dhcp-servers…

…and once you enable firewall wlan1 and wlan2 will be treated like wan ports… why?

Where is default gateway for 192.168.254.x clients, don’t they have any? If not, then 192.168.254.0/24 is all they can access, nothing else.

As said in a prev posting, the gateway addresses for wlanX (.132.254 and .133.254) in my OP I had to remove for this latest partial-working solution (actually it didn’t make any difference whether they continued existing or not).
The wlan clients get their IP etc. from the default DHCP Server pool in the range 192.168.254.10-192.168.254.19 as can be seen in the cfg.

…also networks are not defined for you dhcp-servers…

Explain pls, what exactly is necessary to do?

…and once you enable firewall wlan1 and wlan2 will be treated like wan ports… why?

As said, this is the latest best-working setup I could came up so far. Still seeking a better solution.
I’m open for any working ideas (but of course w/o any firewall tricks or VLAN stuff as I want just pure basic clean IP routing).

This is the routing table. IIRC only record #4 was defined manually by me, the rest is auto-generated by RouterOS:

[admin2@MikroTik-AP] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.254.254 1
1 ADC 192.168.0.0/17 192.168.127.254 ether2 0
2 DC 192.168.128.0/24 192.168.128.254 ether3 255
3 DC 192.168.129.0/24 192.168.129.254 ether4 255
4 S 192.168.130.0/24 192.168.129.253 1
5 DC 192.168.131.0/24 192.168.131.254 ether5 255
6 ADC 192.168.254.0/24 192.168.254.253 bridge1 0

>

IP addresses must be on the WLAN ports!. How can the wlan devices reach their gateway if it doesn’t have an IP address? Or do you define a gateway that does not exist?
Setting the IP address will also autogenerate the static route for a connected network. There is no route towards your wlans I can find.
Is that /17 on ether2 a typo , or intended? It’s a bit confusing, as you have to know the routing priority rules then.

So there is no route, so it will take the /17 or the /0 default route then. Your routing setting is wrong. It was automatic for the ethernet, based on the static IP address and netmask.

If you start bridging it will be a switched layer 2 network. Not the routing you want. This layer 3 only (routing) to be set correctly.

If you start the default firewall, add the WLAN interfaces to the LAN “interface list”.
Now you are dropping everything from the WLAN interfaces (they are in the WAN list, this means no incoming traffic, unless reponses to NATted requests to that interface. This never happens)
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN

It’s the client device that needs default gateway. When it gets config from dhcp, it would be:

/ip dhcp-server network
add address=192.168.254.0/24 gateway=192.168.254.253 <other options>

But you don’t have anything like that. Not that it’s completely correct, because .253 is on this router, but as I inderstand it, actual gateway is now another router, so it should be its address. But then routing between other networks won’t work, unless you add route to them on the other router.

But if you take step back and return to your previous config, then working solution would be:

/ip dhcp-server network
add address=192.168.132.0/24 gateway=192.168.132.254 <other options>
add address=192.168.133.0/24 gateway=192.168.133.254 <other options>

@Sob, the DHCP server is only for wlan clients; all other devices have manually configured static IP and gateway (and DNS server etc.).

@bpwl, see bridge1 in routing table: ether1, wlan1, wlan2 use that for their routing decision, IMO. The bridge1 was added by ROS itself to the routing table.