Virtual WLAN and VLAN's

So, after successfully creating a proper home wireless network with a help from this forum, and it’s great members i was thinking about creating one virtual wireless network for my CCTV cameras.

Right now I have hAP ac lite as an access point for my cameras because my ISP1 router was unable to handle such load (constant reboots and so on).

Now I have two ISP, and the second one is a lot faster then first one, and all my devices are connected to ISP2 except CCTV. (ISP1 is only for IPTV right now, and for failover)

I would like to create virtual AP on 2.4 GHz WiFi interface on my cAP ac so i can remove hAP ac lite. I have hAP ac3 as main router, and cAP ac as AP working in WISP AP mode (bridge)

I tried to add VLAN and Virtual AP to cAP ac and it was working, devices connects, get’s an IP but internet was unavailable. (I created DHCP server at cAP ac)

post configs on hapac3 and capac.

I tried that on some equipement that i have at the office and it’s not used at the moment so if anything goes wrong no big deal , same AP, only the router is Hex S.

I will post config tomorrow.

Still using the same airtime.

Ok, so i only changed settings in cAP ac and here is config for that AP (Note: it’s working in WISP AP mode (bridge) so no Firewall rules etc.) I followed this youtube tutorial

# mar/17/2022 05:47:05 by RouterOS 7.1.3
# software id = 
#
# model = RBcAPGi-5acD2nD
# serial number = 
/interface bridge
add name=bridge1
add name=bridge2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name= supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name= supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment="2.4 GHz" country=\
    croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
     ssid="" wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac comment="5 GHz" country=\
    croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
     ssid="" wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile= ssid=Gosti vlan-id=10 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface wireless nstreme
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface vlan
add interface=wlan3 name=VLAN10_GOSTI vlan-id=10
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge2 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=VLAN10_GOSTI
add bridge=bridge2 interface=wlan3
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge2 network=192.168.10.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system routerboard settings
set cpu-frequency=auto

Is it necessary to create VLAN on main router ? Because AP is like wifi antena for the main router. So one VLAN (can be VLAN1) is used for real wifi interface, and another VLAN for virtual interface

Without the config of the other router there is lacking context.
This is the example I use…
https://forum.mikrotik.com/viewtopic.php?t=182276

As to the linked video, its okay but old…
-Using two bridges is the first thing I would drop like a lead weight.
-No need for wan and lan this is simply acting as an AP/Switch
-Dont use wifi settings for vlan tagging etc… remove.
-Assigning of vlans to wlans is done at /interface bridge port settings.
-the Device address is associated with the trusted subnet (aka vlan) NOT the bridge
-if you only have GUEST vlans on this device, you still need to send a trusted vlan to the device for ADMIN config purposes.
-the only vlan that needs to be identified on this device /interface vlans (with interface bridge) is the trusted vlan.
-the only interface list need is Management
-the only interface list member to that is trusted vlan
-also trusted vlan is the IP route
-also trusted vlan is the IP neigbour discovery → interface list entry
-also trusted vlan is the tools macserver Winbox mac server → interface list entry

All smart devices should have their IP on the trusted subnet and thus be accessible to the admin for config purposes.
For a home setup it could the main LAN, and on a business setup a separate management vlan. Do not use vlan1 that is a default vlan that bridges have in the background.

So here is the config of the main router:

# mar/18/2022 05:27:12 by RouterOS 7.1.3
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=   interface=ether1 network=
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.229 client-id=1:a4:d7:3c:3:3e:ad comment=Printer \
    mac-address=A4:D7:3C:03:3E:AD server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

I also removed changes that I made by following that tutorial so I can start from the begining. I will also study informations from the link You provided.

I’ve read posts and configurations from the links you provided, so in “main” router default VLAN1 is replaced by VLAN99 (base) and then 3 more VLANs are added to config.

I would need only one, and in my case, only ether5 would need to be trunk port (Home WiFi on for eg. VLAN99 (base VLAN instead of the default 1, or it can stay as 1 as this is for home use, and CCTV on VLAN10 or something)

At home I have spare hAP ac lite and Hex S so i will try some of this configurations during the weekend. (Using spare equipement so if i mess something up there is no problem )

No, nothing replaces the default vlan1 for the bridge. it stays there in the background
You create a management vlan IF YOU NEED ONE, otherwise use a trusted subnet.
I dont mix apples and oranges, so as soon as I have vlans, if there was any subnets not in vlan format, like typically people use on the bridge (DHCP by the bridge), I get rid of and put in a vlan.
Typicallly if that is wehre the admin resides that becomes the trusted subnet.

Since this is just for home use and just for simplicity, can trusted subnet be the default one ? And by default that is VLAN 1 ?

No no and NO.
If you want the current home subnet as the trusted subnet then make it a vlan like 20 or something.
Leave vlan1 alone please. It should not carry data.

So
/interface vlan
add interface=bridge name=default-subnet vlan-id=20
add interface=bridge name=cctv-subnet vlan-id=10
any others???

@anav

His latest export doesn’t have vlan-filtering on, so he isn’t going to be able to use any tagged vlans with standard non-vlan-aware devices.

You should be pointing him to your new user success thread, or the one on setting up a vlan-aware bridge.

But I think he needs to be pointed to some vlan background info.

I understand that you like “cookie cutter” general solutions, and that is good in general, but you provide no “reasons” as to why he shouldn’t use vlan 1. I am not as adverse to using vlan 1 as you are. In a home situation, I don’t think it makes any difference. Is it best practice? NO. But many things in a home environment are not best practice (usually no physical security for example), the router is just exposed to anyone in the home. Anyone with physical access can reset the router, or move cables. The point is, what is the reason that you feel so protective of vlan 1? Yes, there may be some control plane traffic there, but so what? How exactly does than affect a home user?

@gigabyte091 if you want to know why @anav doesn’t want to use vlan 1, search google for “should I use vlan 1”

And if you want to understand what vlans are, this is a gentle but good introduction: Virtual Local Area Networks (VLANs)

He wants to use capac, presumably with at least two vlans and possibly a third (as it comes with a 2gh and 5gh chain) and its typical to run a few virtual WLANs

Like 2.4ghz iot, 2.4gh media 5ghz home, 5gh guests etc… Thats four vlans, FIVE if there is a separate management vlan.
Moving to on all vlan structure allows the OP max flex in adding networks both wired and wireless to the home setup.

All we are doing with the vlan setup is mimicking a managed switch for the most part and there are just some unique setups (cookie cutter) that ensures this happens smoothly.
For the beginner, if vlans are needed, its better to NOT use the bridge for any dhcp, ip pool etc, and keep it apples to apples and do it all on vlans, far less confusing!!

Yes, my config is default for now, it’s spare equipement that i manage to rescue from being thrown into e-waste (brand new equipement… I see no reason for throwing that…)

Right now I’m created managment port on router, I’m following @anav tutorial from this topic , and that is working.

I’ve read why not to use VLAN1 and now I can see why is @anav so against it. I will follow your advice and I will not use VLAN1 for anything. I would like to learn the right way.

So if you say it’s easier for the beginner to go all VLAN then ok, i mean, you are right, maybe I add guest network or something in the future (but for now, guests connects to another ISP router, so they are not even connected to “main” network)

For managment port I have 192.168.10.0/24 network, can I add dhcp server with, for eg. 2 or 3 available IPs ? so i don’t have to manually change NIC settings everytime i want to connect ?

@buckeye

Thank you for the article about VLANs.

Well its not necessarily the RIGHT way, there are many successful ways to configure these devices. I am just fond of a clear and easy path for the beginner.
Once one gets more familiar with MT functionality, then exploring is up to the user.

As for now, its a good time to get a diagram published so your network is better appreciated.
What I see now is three devices, hapac3 router (wired and wireless), haplite wif (2.4) plus 3 ethernet ports (but only 10/100), capac wifi (2.4/5) +1 extra etherport (good for off bridge access IMHO)

Plan your setup.
What do you need for wifi (iot, guest, media, video, HOMEwifi)
What do you need for wired lans, home, guest, iot, nas, other?
Now you have an idea of how many vlans you want to have (note home VLAN works for both home wifi and home wired so only one vlan required, same for any other duplication).
Setup all vlans to the bridge on the hapac3
Use the hap lite as a viable 2.4 ghz device (probably two WLANs)
Use the hapac as a viable 2.4 and 5ghz WIFI device.
Use the hapac3 for 2.4 and 5ghz wifi

Plan location of wifi devices for coverage required.
Plan frequency/channels for wifi to ensure separation (non-interference) from the internal APs, and look at external wifi interference as well.

The hap lite and capac ether1 will be Trunk port to hapac3, use ether2 on both units for OFF BRIDGE ACCESS.
To config both use this link and example… https://forum.mikrotik.com/viewtopic.php?t=182276

***** As to your question, NO need to anything fancy with off bridge, you can plug in any device with any IP within the address scope you assign to a particular device (.2 to .254), no need for any dhcp etc…

Note: If your home lan is trusted you dont necessarily need a management vlan. Up to you.

++++++++++++++++++++++++++++++++++

Seeing as you are port limited more than anything else, and you do not want to continue to use the haplite…then
hapac3
ether1 - fast ISP (primary) ether2 - slow ISP (secondary for failover),
ether3 - capac, ether4-HOMELAN, ether 5 off bridge.

If you want to have a management vlan separately then get a managed switch such that
ether1 - fast ISP (primary) ether2 - slow ISP (secondary for failover),
ether3-HOMELAN, ether 4- off bridge, ether -5 switch

Switch (if an RoS device) - ether1 from hapac3 (located next to hapac3)
ether2 - capac, ether3 - managment vlan (if required), ether4 - off bridge

So right now, I have two routers, for learning purposes:
→ hEXs is “main router”, it’s without WiFi interfaces, it has internet connection on ether1 (right now it’s connected to ISP2 or as you said, slow ISP) and it’s running Mikrotik’s default configuration.
→ hAP ac lite, configured as WISP AP bridge mode, not router, connected to hEXs on ether5 (because im using poe out on hEXs)

This setup is for learning purposes because if i mess things up it doesn’t matter. When I learn more then i will configure my home network.

So here is network diagram, i will update it when i change something.

For wifi, for now I plan to create:

• Home WiFi, so my wife’s phone, laptop, my phone, laptop, PS4, chromecast, xiaomi tv stick 4k and central heating thermostat. (2.4 and 5 GHz)
• Security WiFi, cameras and alarm system (2.4 GHz)
• Guest WiFi, all other devices, and it will be limited to 20/20 Mbps

For wired lan:

• Home network where i will connect my desktop PC and wife’s work PC for now.

My home network can be trusted, but for learning purposes i can create separate VLANs.
My routers are locked in network cabinet in some kind of utility room that is also locked and under cctv so i think that it is more secure than average, ports that are not used are disabled and ether2 on my AP is also disabled.

I also have HP aruba 8 port managed switch, and im waiting for mikrotik’s switch (have to wait until may due to chip shortages)

I would like to go trought all possible scenarios that i might need in the future.

But yes, you are right, for my home network, im quite port limited, i think that on hap ac3 i have only one port available.

Hapac3 is not a problem, since you wont be using that in your office, there is no need for a home ethernet wired port there.
Thus you need
WAN , ether1-fast ISP, ether2-slow ISP, ether3-capac -ether4 to managed switch, ether-5 OFF BRIDGE.

The managed switch could also then connect to another managed switch as required. Assuming keeping hex as a backup router.

Although the hapac3 wifi is wasted if thats the router you are using in some hole in the closed off space LOL.
You should get a better WIRED only router RB5009

At the managed switch you can hookup to the rest of the house as required.
Having a second managed switch at your desk gives you flexibility to try things…such as have both a home vlan and management vlan available just by switching the ethernet cable (if you decide to have a management vlan.

@anav I agree with you that having a set of rules and standard configs can make it easier to manage, or to provide a working setup for someone that doesn’t want to take the considerable time to understand well enough to “build a configuration from scratch”.

Andreas Spiess had a 2022 New Years video on his youtube channel How To Use Rules to Increase Your Efficiency that is worth watching.

One problem I see frequently (I am not referring to this thread) are Frankenstein chimera configurations, where someone has copy/pasted parts of totally unrelated configurations but they don’t understand enough to know how the pieces should fit together or how they are interdependent. Then they come with a mess, and want help with a part that they think will solve the problem, i.e. a case of the The X/Y Problem. This is one reason I dislike “recipes” with no explanations.

I see the don’t use vlan 1 as a generally good rule, just like "don’t use 192.168.0.0/24, 192,168.1.0/24 or 192.168.88.0/24 for your home network. Not because they won’t work, but because they are default values, and can lead to unintended problems. If you don’t intend to ever use a vpn, which rfc1918 subnet you choose makes little difference, but it is easier to recommend avoiding common subnets than to have problems later when you decide you want to connect to home with a vpn, but find that you can’t connect from your favorite coffee shop because they happened to choose the same default subnet that you did. In fact, you may want to make a note of the ip address you get on your mobile phone from the networks you are most likely to be connecting from, and be sure to choose something different for your home networks.

No matter what subnet you choose, it is possible that someone else will have chosen the same value, but you can greatly reduce the chance of a collision by avoiding the subnets that are the default values used by the major vendors.

It is good you have extra routers to learn with. It makes experimenting possible without having to worry about breaking internet access for everyone in the house.

You mentioned that you have multiple ISPs. Do you plan to keep both? If so, you may want to learn about connecting to both IPS through a single router as suggested by @anav, although depending on the speeds involved, neither the hEX S or hapac3 may be able to deal with the load. The RB5009 recommended by @anav should be a good choice, although its new enough that not everything is optimized at this time, but that should get better in the future as the software support for the new processor and switch chip gets more attention. You could redeploy the hEX as a vlan-aware switch or as a “lab” router for testing.

The only MikroTik devices I currently have are an RB760iGS (hEX S) and two CSS106-5G-1S SwOS switches. I have a mutt network, with TP-Link (TL-SG108E) and Netgear (GS908E) “smart” vlan-aware switches, several Ubiquiti ER-X routers (similar to the hEX), and multiple “dumb” switches. I find vlans to be very useful, and on my hEX S and my ER-X routers, I have the switch chips in vlan-aware (vlan-filtering) mode, so I can have multiple ports on the routers be members of the same vlan. You should be able to add your HP switch without any problems, hopefully it is a 2530-8G Gb not a 2530-8 (100M). However, you will need to learn how vlans are configured on the Aruba switch, since there is no “standard” way to do that, every vendor has their own method, but the underlying vlans are all IEEE 802.1Q based at this time and will work on the wire with each other.

On the hEX S I am using v7.2rc4 because there are bug fixes related to the bridge features I am using. Since your network is for learning, you may want to consider using the testing release tree, but it is less tested than stable releases, but it does have fixes that the stable release tree does not have.

Configuring your hapac3 and hEX S with vlan-filtering bridge may take a bit more time to setup initially, but it makes future changes easier, especially if you want to add an access port for one of the vlans, directly on the router. It puts a layer of abstraction between the vlan interfaces and the ports they exist on.