What is the best spot to create vlan on AC3

Hi

New to Mikrotik though not to networking. Just got my AC3 with couple of cAP ax.
I want to replace my unifi USG with HAP AC3 with the following configuration. Image attached for vitual reference.
These are all working on my current unifi setup but trying to recreate the same on AC3 got me all worked up. Combed thru wiki, vids, forum and helps and got it working but without configuring vlan.
This got me worried.

Most of the vlan examples with wlan do reference wifiwave v1 but not v2
I have read this great article but still not sure how to get it to work with the new RouterOS v7.11 and wifiware2 (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1)

Any assistance would be appreciated.

Here is my requirement

ISP ↔ HAP AC3 ↔ CISCO SW ↔ cAP ax

I want to create the following

SSID

• Apt1 / 10.10.10.0/24 - vLan10
• Apt2 / 10.10.20.0/24 - vLan20
• Apt3 / 10.10.30.0/24 - vLan130
• Guest / 10.10.40.0/24 - vLan40
• IoT / 10.10.50.0/24 - vLan50
• House / 192.168.10.0/24 - default

I want to configure the ports and wifi on the AC3 as hybrid.
The ports on the cisco where the AP connects are all trunked already.

Questions
*** PLS NOTE: I am using wifi2 v7.11.2, and would be adding couple of cAP ax once I get the built-in wifi working
*** RouterOS v7.11.2
*** All cap ax would be updated to same version

1- Do I create a bridge for WLAN and LAN separately or just one
2- Where is the best place to create vlan for these? Without vlan they all seem to work but once I create vlan, everything seems to break
3- Do I need to create a vlan for each bridge
4- When I tried to assign 10.10.50.0/24 to my wifi1 (the 2.4ghz card), I get error saying that "cannot run on slave interface). But this is the built-in wifi interface. I thought the built-in is master and virtual are slave?

Lastly, I want all ports and wlan ports to support all vlan IDs but I will be limiting connection btw them later once I get it working.

Okay the good news is that the hapac3 can run wifiwave2 package.
So best bet is to download 7.12 stable, should be out soon for all of your devices and the wifiwave2 package.
The hapac3 will be your capsman device, and with this combo, roaming between devices is apparently enhanced!

Useful Links:
https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-WifiWave2CAPsMAN
links bad see below!!

Hi Anav

Thank you for the response.
I will check out the first link since the other 3 links do not work, its states that the vid is not available.

Hmm maybe I did something wrong…
https://www.youtube.com/watch?v=1Ct6aJXTE5g
https://www.youtube.com/watch?v=vkWPlsuyuKE
https://www.youtube.com/watch?v=r2OxOYM0IlQ
https://www.youtube.com/watch?v=taQ70m0DVYA&t=13s

I woul like to know what you think of the AC3 WAP’s. i am trying to decide on Mikrotik or RUCKUS R850 for a quality Access Point

Why would you interrupt a thread like so… No manners Indiana
Start a new thread please if you have a different question or issue.

Jazz is okay, but JazzFunk is another level…

Hi Anav
I have gone tru these vids. One thing with most of these vids is that the examples are mostly on virgin setup not one with other settings.
My issues is that wifi works with the various address pools but without vlan.
When I implement vlan, every thing breaks thereby leading to my questions:

1- Do I create a bridge for WLAN and LAN separately or just one
2- Where is the best place to create vlan for these? Without vlan they all seem to work but once I create vlan, everything seems to break
3- Do I need to create a vlan for each bridge
4- When I tried to assign 10.10.50.0/24 to my wifi1 (the 2.4ghz card), I get error saying that "cannot run on slave interface). But this is the built-in wifi interface. I thought the built-in is master and virtual are slave?

Lastly, I want all ports and wlan ports to support all vlan IDs but I will be limiting connection btw them later once I get it working.
************************/

Thanks for your responses

Sorry, I only have created vlans on basic wifi not with wifiwave2 in conjunction with VLANs.
I think you only setup vlans the way I know on the device running capsman, the AC3 in this case and on the other devices you setup the vlans via some datapath commands.

I think its absolutely horrible that the documentation and videos dont help but even worse are the so called capsman lovers here who trumpet its benefits but have FAILED to provide a user article on how to setup wifiwave2 with capsman for the very case you present. A very normal case, an expected case, one that should be relatively easy to produce a decent user article…

Where are guilty bastads… …start writing one up!

As far as I can see there is no mention of capsman here and every AP is on separate subnet, so why you don’t just untag them and leave trunks between AC3, CISCO and USW ?

1. On AC3 you need only one bridge, there is no need for more bridges and you add all ports as a bridge member expect port you are using for connection to your ISP, probably ether1.

2. Best practice is to create VLANs on the bridge. There is a great tutorial by @anav on how to create those.

3. No multiple bridges.

4. That’s normal, as wifi1 is probably member of a bridge and by default bridge have already assigned subnet to it.

It would be best thing to provide us your current configuration.

Hi
Here is my configuration. Everything works without without VLAN filtering on the bridge and no tagging on the bridge vlan.
I want to ensure all settings are correct before proceeding to adding cAP ax and configuring firewall between the AP.

Thanks for your assistance
(FYI: I reached out to someone on another thread. I will try and combine them here so as not to end up with 2 threads on the same issue).

/interface bridge
add name=bridgeLAN-WLAN
/interface ethernet
set [ find default-name=ether1 ] name="PORT1[WAN]"
set [ find default-name=ether2 ] name=PORT2
set [ find default-name=ether3 ] name=PORT3
set [ find default-name=ether4 ] name=PORT4
set [ find default-name=ether5 ] name=PORT5
/interface vlan
add interface=bridgeLAN-WLAN name=vlan10-mjoy vlan-id=10
add interface=bridgeLAN-WLAN name=vlan20-mfavor vlan-id=20
add interface=bridgeLAN-WLAN name=vlan30-mpeace vlan-id=30
add interface=bridgeLAN-WLAN name=vlan40-mhope vlan-id=40
add interface=bridgeLAN-WLAN name=vlan50-mIoT vlan-id=50
add interface=bridgeLAN-WLAN name=vlan60-mguests vlan-id=60
/interface list
add name=WAN
add name=LAN
add name=VLAN

/interface wifiwave2 configuration
add channel.band=2ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mIoT \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=MIoT4
add channel.band=5ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mjoy \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=#MJoy4
add channel.band=5ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mfavor \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=#MFavor4
add channel.band=5ghz-a .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mfruit \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=MFruits4
add channel.band=5ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mpeace \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=#MPeace4
add channel.band=5ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mhope \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=#MHope4
add channel.band=5ghz-n .skip-dfs-channels=disabled country=Canada disabled=no mode=ap name=cfg-mguests \
    security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=#MGuests
/interface wifiwave2
set [ find default-name=wifi2 ] configuration=cfg-mfruit configuration.country=Canada .mode=ap .ssid=\
    MFruits4 disabled=no name=hAP_wifi2-5.0
add configuration=cfg-mfavor configuration.mode=ap disabled=no mac-address=4A:A9:8A:7C:FC:26 \
    master-interface=hAP_wifi2-5.0 name=v-wifi-mfavor-5.0
add configuration=cfg-mhope configuration.mode=ap disabled=no mac-address=4A:A9:8A:7C:FC:28 \
    master-interface=hAP_wifi2-5.0 name=v-wifi-mhope-5.0
add configuration=cfg-mjoy configuration.mode=ap .ssid=#MJoy4 disabled=no mac-address=4A:A9:8A:7C:FC:25 \
    master-interface=hAP_wifi2-5.0 name=v-wifi-mjoy-5.0
add configuration=cfg-mpeace configuration.mode=ap disabled=no mac-address=4A:A9:8A:7C:FC:27 \
    master-interface=hAP_wifi2-5.0 name=v-wifi-mpeace-5.0
/ip pool
add name=dhcp_pool0 ranges=192.168.10.50-192.168.10.199
add name=dhcp_pool1 ranges=10.10.10.50-10.10.10.99
add name=dhcp_pool2 ranges=10.10.20.50-10.10.20.99
add name=dhcp_pool3 ranges=10.10.30.50-10.10.30.99
add name=dhcp_pool4 ranges=10.10.40.50-10.10.40.99
add name=dhcp_pool5 ranges=10.10.50.50-10.10.50.99
add name=dhcp_pool6 ranges=10.10.60.50-10.10.60.99
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridgeLAN-WLAN name=dhcp1
add address-pool=dhcp_pool1 interface=v-wifi-mjoy-5.0 name=vlan10-mjoy
add address-pool=dhcp_pool2 interface=v-wifi-mfavor-5.0 name=vlan20-mfavor
add address-pool=dhcp_pool3 interface=v-wifi-mpeace-5.0 name=vlan30-mpeace
add address-pool=dhcp_pool4 interface=v-wifi-mhope-5.0 name=vlan40-mhope
/interface wifiwave2
set [ find default-name=wifi1 ] channel=*2 configuration=cfg-mIoT configuration.mode=ap datapath=*1 \
    disabled=no name=hAP_wifi1 security=*1
add configuration=cfg-mIoT configuration.mode=ap disabled=no mac-address=4A:A9:8A:7C:FC:29 \
    master-interface=hAP_wifi1 name=v-wifi-mIoT
add configuration=cfg-mguests configuration.mode=ap disabled=no mac-address=4A:A9:8A:7C:FC:2A \
    master-interface=hAP_wifi1 name=v-wifi-mguests-5.0
/interface bridge port
add bridge=bridgeLAN-WLAN interface=PORT2
add bridge=bridgeLAN-WLAN interface=PORT3
add bridge=bridgeLAN-WLAN interface=PORT4
add bridge=bridgeLAN-WLAN interface=PORT5
add bridge=bridgeLAN-WLAN interface=hAP_wifi2-5.0
add bridge=bridgeLAN-WLAN interface=hAP_wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=10
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=20
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=30
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=40
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=50
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=60
/interface list member
add interface="PORT1[WAN]" list=WAN
add interface=bridgeLAN-WLAN list=LAN
add interface=vlan10-mjoy list=VLAN
add interface=vlan20-mfavor list=VLAN
add interface=vlan30-mpeace list=VLAN
add interface=vlan40-mhope list=VLAN
add interface=vlan50-mIoT list=VLAN
add interface=vlan60-mguests list=VLAN
/interface wifiwave2 cap
set enabled=yes
/ip address
add address=192.168.10.254/24 interface=bridgeLAN-WLAN network=192.168.10.0
add address=10.10.10.254/24 interface=v-wifi-mjoy-5.0 network=10.10.10.0
add address=10.10.20.254/24 interface=v-wifi-mfavor-5.0 network=10.10.20.0
add address=10.10.30.254/24 interface=v-wifi-mpeace-5.0 network=10.10.30.0
add address=10.10.40.254/24 interface=v-wifi-mhope-5.0 network=10.10.40.0
add address=10.10.50.254/24 interface=v-wifi-mIoT network=10.10.50.0
add address=10.10.60.254/24 interface=v-wifi-mguests-5.0 network=10.10.60.0
/ip dhcp-client
add interface="PORT1[WAN]"
/ip dhcp-server
add address-pool=dhcp_pool5 interface=v-wifi-mIoT name=vlan50-miot
add address-pool=dhcp_pool6 interface=v-wifi-mguests-5.0 name=vlan60-mguest
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.10.10.0/24 gateway=10.10.10.254
add address=10.10.20.0/24 gateway=10.10.20.254
add address=10.10.30.0/24 gateway=10.10.30.254
add address=10.10.40.0/24 gateway=10.10.40.254
add address=10.10.50.0/24 gateway=10.10.50.254
add address=10.10.60.0/24 gateway=10.10.60.254
add address=192.168.10.0/24 dns-server=10.0.0.1 gateway=192.168.10.254 netmask=24
/ip dns
set servers=192.168.10.254
/ip firewall filter
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface="PORT1[WAN]"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.10.0/24 port=2281
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=BOL_hAP_AC3
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What is this ??

add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24

You said without tagging on the bridge but you tagged VLANs on the bridge:

/interface bridge vlan
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=10
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=20
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=30
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=40
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=50
add bridge=bridgeLAN-WLAN tagged=bridgeLAN-WLAN vlan-ids=60

VLANs will not work until you enable VLAN filtering on the bridge. Also you didn’t defined VLAN id for any interface.

Joining/following “from that other thread”… other thread is locked.

This was probably left over by Winbox as that was not entered by me personally.

My apologies. The note was written but I continued to tinker with it and ended up creating the vlan.

Here are screenshots of my configurations
BRIDGE:

Here are screenshots of my configurations
INTERFACES

You don’t need to use service tag. Okay now you created VLANs, did you try to assing VLAN to any interface so you can test it ?