I have a hAP AC Lite which is configured so all 5 physical ports use master = ether1. ether1 (172.16.0.2) is connected to a router (172.16.0.1) which handles dns and dhcp. I then have a Bridge1 which is wlan1, wlan2 and ether1. I think that makes sense although let me know if it doesn't.. Now I think what I should do next to increase security is make it so management of any type is only possible through one physical interface (5) which will otherwise never be used. So could I set ether5 as master = none. ether5 = 10.0.0.1, run a dhcp server on ether5.. that should isolate ether5? Then I want a way (I don't know how) of restricting all of the IP>Services stuff so it's only accessible from a device physically plugged in to ether5.

I'd be grateful if someone could describe roughly what I need to do to achieve this and whether it is sensible?

An unrelated question, there's something that's not right with my setup.. I have 2 wireless client devices, a Blackberry Priv and Nvidia shield K1 (both andoid devices that support 5GHz wifi and I use both devices connected to a 5GHz Asus AP). The hAP Lite has 5GHz and 2.4 GHz (wlan1 and wlan2). From the Priv, I can see both the 2.4GHz Mikro SSID and the 5GHz Mikro SSID. From the Nvidia Shield K1 I can only see the 2.4 GHz Mikro SSID. Why? The 5GHz wlan2 is in A/N/AC mode, the Shield K1 can see the 5GHz Asus AP no problem. I'm using the wifi menu on the Priv and K1 but also double checking by using the open source "WiFiAnalyzer" from the Google Play Store on both devices to view nearby APs and that also fails to show the MikroTik 5GHz SSID on (only) the K1?

I'm doing all management of the hAP through either webfig or telnet (soon to be ssh) from a linux box (so no winbox).

I have a hAP AC Lite which is configured so all 5 physical ports use master = ether1. ether1 (172.16.0.2) is connected to a router (172.16.0.1) which handles dns and dhcp. I then have a Bridge1 which is wlan1, wlan2 and ether1. I think that makes sense although let me know if it doesn't.. Now I think what I should do next to increase security is make it so management of any type is only possible through one physical interface (5) which will otherwise never be used. So could I set ether5 as master = none. ether5 = 10.0.0.1, run a dhcp server on ether5.. that should isolate ether5? Then I want a way (I don't know how) of restricting all of the IP>Services stuff so it's only accessible from a device physically plugged in to ether5.

Yes, that would isolate ether5. Use IP > Firewall filter rule for this, allowing only access to the router (input chain) from in-interface = ether5.

An unrelated question, there's something that's not right with my setup.. I have 2 wireless client devices, a Blackberry Priv and Nvidia shield K1 (both andoid devices that support 5GHz wifi and I use both devices connected to a 5GHz Asus AP). The hAP Lite has 5GHz and 2.4 GHz (wlan1 and wlan2). From the Priv, I can see both the 2.4GHz Mikro SSID and the 5GHz Mikro SSID. From the Nvidia Shield K1 I can only see the 2.4 GHz Mikro SSID. Why? The 5GHz wlan2 is in A/N/AC mode, the Shield K1 can see the 5GHz Asus AP no problem. I'm using the wifi menu on the Priv and K1 but also double checking by using the open source "WiFiAnalyzer" from the Google Play Store on both devices to view nearby APs and that also fails to show the MikroTik 5GHz SSID on (only) the K1?

I'm doing all management of the hAP through either webfig or telnet (soon to be ssh) from a linux box (so no winbox).

This looks K1 related... Maybe wireless settings or security config is not supported by it? Post an export:
Could be tied to the 5GHz channels you're using, it may be "locked" to 36-48, Band A UNII 1.

Great, thanks. I did this with a firewall rule that drops chain=input, in-interface=bridge1. I now realise I probably could have done !ether5 instead.

You seem to be correct about the 36-48 Band A UNII 1 thing. I never noticed before but the K1 does seem to work once I change the frequency to 5220. /interface wireless export just showed a default setup but with auth by WPA2 only and country = UK.

To make things future proof and slightly better readable you could create two filter rules:

• allow chain=input in-interface=ether5
• drop chain=input

in this particular order.