Separate VLAN for management interfaces

Dear Community,

I’d like to set up my RB751G-2HnD as a protected WiFi access point the following way:

• one of the ethernet ports set up as VLAN trunk
• in the trunk, use VLAN1 for the traffic to be forwarded to the WLAN interface
• in the trunk, use VLAN2 only fo accessing the management interface
• on the other side, the RB751G-2HnD will connect to a wired network where these two VLANs will be handled separately. The idea is thus, to only use RB751G-2HnD as a wireless access point - and wireless clients would only be able to access the network in VLAN1. DHCP server would be another device in VLAN1, so the RB751G-2HnD doesn’t need to be any DHCP server either.
• management of RB751G-2HnD (all the services, like webfig, winbox, ftp, console, etc) has to be done strictly ony in VLAN2, which would be accessible through the rest of the wired network, only by qualified personnel.

Would this be possible? How?

Currently the RB751G-2HnD acts as a simple accesspoint in an untagged network, and the management interface is accessible from it. That what needs to be prohibited.

Any suggestions welcome.

Create the VLAN interfaces and then add input filters to bar management traffic from any interface except the management VLAN.

Any more concrete info is welcome.

• how to make trunk, and which interface?
• how to make input filters?
• etc…

But I was thinking, instead of filters, isn’t it possible to just bind management apps to a specific interface? I mean, to just not listen for management requests on any other?

VLAN interfaces are added in the Interfaces menu. Adding them to a physical Ethernet interface effectively makes that Ethernet interface a “trunk” in Cisco terms.

I am interested in binding the management functions to a single vlan interface as well…we operate vlan1 as management and 2 as public 3 as voip and 4 as a hotspot. and the management comes in over the sfp with everything else and it would be nice to just bind it to that interface.