I've been doing endless research on how to configure my RB260GS switch (meant as entry switch to distribute internet) so that my cAP AX (basement use) and my hAP AX3 (upstairs) can access the internet but be isolated as this is meant to be a duplex with a shared internet service. I've setup the ports as such on the RB260GS below based on what I've found online. I'd like to find out if I'm on the right path here or I should rethink the setup. My hAP AX3 upstairs has all physical ports used and I'd basically want all of those ports to be part of VLAN100. As for the cAP AX in the basement, it is just a wireless AP that would be used on VLAN200. I've looked into how to configure the routerOS portion (hAP AX3 & cAP AX) but that seems even more complicated as none of the info I've found provides an easy to configure workflow.
Since you have two independent wireless AP devices (and I assume that they each have thier own cable to the router), I might be inclined to just leave the AP's pretty stupid, and NAT them out of the router separately, which would eliminate the need for VLANs completely, and give the desired isolation.
I've been looking at another way to get this done but still using a VLAN to isolate the tenants in the basement. What if I used my hAP AX3 as the device that is connected to the cable modem and from there connect the RB260GS as a basic switch just to get more ports on the same IP set that I have on my hAP AX3 for my own devices. I could then connect the basement device (cAP AX) to say port3 of the hAPAX3 and create a VLAN just for that port instead. The problem is actually doing the work. lol
I've read this page here VLAN - RouterOS - MikroTik Documentation on creating a basic VLAN with 2 routers and even after using the terminal commands as a basis it still doesnt work. The weird thing is the basement device still doesnt have access to the internet even without any VLANs setup yet that "internet" status check indicates its available on ether1 with the IPs from the upstairs.
Not saying my idea is better, but would not two bridges, two DHCP servers, two NATs and cable modem on eth1 also give you what you need? I guess in my mind, I tend to only use VLANs if I need multiple environments on the same cable.
Additional physical ports could be added to either bridge to allow extension switches/APs/etc. as desired.
In my opinion, you are overcomplicating things by introducing vlans, especially if you only need a single port for the basement.
Can you explain what you mean by "entry switch to distribute internet". If you mean your internet connection is to the RB260, then depending on your ISP, you may or may not be able to get two ip addresses from the ISP's DHCP server. But I would not count on it. An then the cAP AX in the basement would have to be configured as a router with its own internet connection.
You can use the RB260 as a dumb switch to give you additional ports from the hAP AX3, but that would not be utilizing its vlan features.
The simple way would be to dedicate a port on the hAP AX3 for the basement "LAN". See Once and for all COMPLETE Offbridge Port setup for how to do this. Then that removed port can become the basement vlan, however in this case you don't want to allow management access to the hAP AX3 from that port, this need to have the firewall adjusted to prevent routing between the bridge and the removed port.
Then you can reset your RB260 to the standard config, and plug it into one of the remaining bridge ports, possibly in a different part of the upstairs where you want another group of wired devices all being feed from the hAP AX3 with a single cable.
