I have a hAP AC Lite which is configured so all 5 physical ports use master = ether1. ether1 (172.16.0.2) is connected to a router (172.16.0.1) which handles dns and dhcp. I then have a Bridge1 which is wlan1, wlan2 and ether1. I think that makes sense although let me know if it doesn't.. Now I think what I should do next to increase security is make it so management of any type is only possible through one physical interface (5) which will otherwise never be used. So could I set ether5 as master = none. ether5 = 10.0.0.1, run a dhcp server on ether5.. that should isolate ether5? Then I want a way (I don't know how) of restricting all of the IP>Services stuff so it's only accessible from a device physically plugged in to ether5.
I'd be grateful if someone could describe roughly what I need to do to achieve this and whether it is sensible?
An unrelated question, there's something that's not right with my setup.. I have 2 wireless client devices, a Blackberry Priv and Nvidia shield K1 (both andoid devices that support 5GHz wifi and I use both devices connected to a 5GHz Asus AP). The hAP Lite has 5GHz and 2.4 GHz (wlan1 and wlan2). From the Priv, I can see both the 2.4GHz Mikro SSID and the 5GHz Mikro SSID. From the Nvidia Shield K1 I can only see the 2.4 GHz Mikro SSID. Why? The 5GHz wlan2 is in A/N/AC mode, the Shield K1 can see the 5GHz Asus AP no problem. I'm using the wifi menu on the Priv and K1 but also double checking by using the open source "WiFiAnalyzer" from the Google Play Store on both devices to view nearby APs and that also fails to show the MikroTik 5GHz SSID on (only) the K1?
I'm doing all management of the hAP through either webfig or telnet (soon to be ssh) from a linux box (so no winbox).