Virtual AP on hAP ax s

Greg83 · May 17, 2026, 3:08pm

Hello everyone,

I got a fresh hAP ax S, I'm also fresh in MikroTik world, and just want to achieve a simple task - broadcast two different SSID's with separate VLANs, IP and Firewall rulesets (let's juts say for private devices and guest devices) on both radios.
My device runs latest stable version 7.22.3 (factory software 7.19.4).
I've updated (out-of-the-box but updated) following packages:

NAME VERSION BUILD-TIME SIZE

0 routeros 7.22.3 2026-05-07 09:19:52 11.7MiB
1 wifi-mediatek 7.22.3 2026-05-07 09:19:52 5.0MiB
2 XA calea 24.1KiB
3 XA container 184.1KiB
4 XA dude 1224.1KiB
5 XA gps 24.1KiB
6 XA iot 796.1KiB
7 XA iot-bt-extra 428.1KiB
8 XA openflow 76.1KiB
9 XA rose-storage 4052.1KiB
10 XA tr069-client 120.1KiB
11 XA ups 48.1KiB
12 XA user-manager 340.1KiB
13 XA wifi-halow-mm 612.1KiB
14 XA wifi-qcom 9.3MiB
15 XA wifi-qcom-ac 2628.1KiB
16 XA wireless 1848.1KiB
17 XA zerotier 744.1KiB

I've reviewed MikroTik manual in section virtual AP, and I've no idea why I can't use /interface> wireless ? My CLI provides only /interface> wifi with which I'm unable to set ap-bridge mode. On both master interfaces I can only choose ap, station, station-bridge or station-pseudobridge modes.

The setup is basically default - I've just played with Channels and Configuration templates which are added to each master wifi interfaces:

0 M BR default-name="wifi1" name="wifi1" l2mtu=1560
mac-address=04:F4:1C:CD:9D:54 arp-timeout=auto
radio-mac=04:F4:1C:CD:9D:54 configuration=Config_2_4GHz
configuration.country=Germany .ssid="MikroTik" .mode=ap
security.authentication-types=wpa2-psk,wpa3-psk
channel=channel_freq_2_4
channel.frequency=2412,2437,2462 .width=20mhz

1 M BR default-name="wifi2" name="wifi2" l2mtu=1560
mac-address=04:F4:1C:CD:9D:55 arp-timeout=auto
radio-mac=04:F4:1C:CD:9D:55 configuration=Config_5GHz
configuration.country=Germany .ssid="MikroTik" .mode=ap
security.authentication-types=wpa2-psk,wpa3-psk
channel=channel_freq_5
channel.frequency=5180,5200,5220,5240 .skip-dfs-channels=all
.deprioritize-unii-3-4=yes

0 name="Config_2_4GHz" country=Germany ssid="MikroTik" mode=ap
security.authentication-types=wpa2-psk,wpa3-psk
channel=channel_freq_2_4
channel.frequency=2412,2437,2462 .width=20mhz .skip-dfs-channels=all

1 name="Config_5GHz" country=Germany ssid="MikroTik" mode=ap
security.authentication-types=wpa2-psk,wpa3-psk
channel=channel_freq_5
channel.frequency=5180,5200,5220,5240 .skip-dfs-channels=all
.deprioritize-unii-3-4=yes

Any ideas are much appreciated!

Best Regards,

BartoszP · May 17, 2026, 3:13pm

erlinden · May 17, 2026, 3:15pm

/interface wireless is pre AX devices.
Mode should be set to ap to get the same as the old ap-bridge.

Official documentation on the /interface wifi options:

Greg83 · May 17, 2026, 5:38pm

Hello erlinden,

Thank you for quick reply and resolving my question on CLI mismatch! Please correct me if I'm wrong - my way to go is datapath? Another option is PPSK, but it's not supported on WPA3. I'll read the manual carefully on upcoming weekend and try to implement it.

Best regards,

erlinden · May 17, 2026, 5:52pm

Two ways, either use datapath or set vlan id through /interface bridge port.
A great topic about VLANś is this:

Actually there is a third way (that I use currently):
Set VLAN ID through accesslist. Based on mac address (I know it can be spoofed) it will supply a CORP or GUEST VLAN ID.

lurker888 · May 17, 2026, 6:19pm

Yep, you'll have to use the wifi menu for newer models and the mode has been simply renamed to ap.

Ppsk doesn't work for wpa3, but if you're separating your ssids then there's really no need for it.

As for separating traffic: currently enabling vlan filtering on your bridge, and then assigning the wifi interface through the datapath parameter seems to be the most well-trodden approach. Just be aware, that if you have no need for vlans (i.e. your AP is also your router) then it's perfectly fine to forego vlans altogether, and simply create another bridge (like bridge-guest) for the alternate ssid. This makes your life a bit easier.

Greg83 · May 18, 2026, 5:24am

Hi,

Thank you! I will try first two options.

I want to move further if I get this setup up n running. Next one will be 802.1x for internal devices but there will be also a catch with non-802.1x devices. There you can only do MAC-Auth, which is actually more insecure as your setup with access lists with MACs but also secured with PSK . Some high grade Vendors use there some sophisticated techniques to give the attacker harder tries as with simple MAC spoofing, but it makes it only harder, not impossible.

I get my fingers on hAP on next weekend - keep your fingers crossed!

Best regards,

Greg83 · May 18, 2026, 5:24am

Hello lurker888,

Thanks for joining this discussion! As everything resides / will reside on hAP, that was actually my first idea. But I ran in one caveat - master interface. You can create many sub-interfaces from which each need to have one master interface. Master interface can be only bound to one bridge, thus separating SSID's on let just say L3 base requires, from what I've learned until now, assigning i.e. wifi1 to internal and wifi2 for guests. It has one more caveat - if the device has only frequency-unique radios and only two of them (first one 2,4 and second one 5GHz), then you need to decide which radio acts for what purpose. Please correct me if I'm wrong.

Aside of that, yeah I agree with you totally - it saves much configuration to achieve the goal. I could see this as a good solution for i.e. IoT devices which mostly have energy saving as high priority and use 2,4GHz with low data rates (energy saving for battery powered Things) and old protocols (SoC with 802.11n has lower costs as one with .ax / .be). This can be a good trade-off, saving sending times on 802.11n or older when one needs to downgrade lowest data rate to 2Mbits - if so, whole master interface is impacted with this setting and impacts all clients on 2,4GHz, yet getting better coverage .

Best regards,