while allowing each WLAN's devices access to the net, separating out my IP phones, and having a single server subnet. Basically like a guest LAN, because they are untrusted. I want to sandbox the mobile devices while still giving them access to the net.

I have a RB941-2nd (hAp-lite)

Would multiple bridges work?

I'd suggest to use VLAN. so each WLAN have one VLAN and your Linux server can be on the core netowrk

I'd suggest to use VLAN. so each WLAN have one VLAN and your Linux server can be on the core netowrk

Further more, you can configure linux server with VLAN devices (many if needed, one per VLAN served) and you don't need any routing between particular WLAN AP client and Linux server.

Is the concept of VLANS- basically extending the number of logical "subnets" that can be contained *alongside one another* in a virtual pipe?

Thats what I am gathering, but since the end user machine/device (except for routing hardware) dont seem to have vlan settings, (except my phones do, but they also seem to have a little switch too.) So the vlan is just for pipes between switches/routers/access points (real or logical)??

What order should I do this in? I do have a much larger switch - an external rack mount "managed" switch which currently is just being a dumb switch which supports vlans which I can use. Its old but it supports 24 ports and is a gigabit switch. (it was a steal for $40 that I couldn't pass up) Its a linksys switch post Cisco but barely, it was built around 2008-9.

Unfortunately its web gui only works on a browser I refuse to use but it does have a console.

Suppose you were me and starting fresh. What should my order of battle be to set this up to get the best performance and security? So far, the wired subnets Ive created have worked great. the switch does great with multiple subnets as long as they are wired and have an IP address attached to the gateway port for each one, but the virtual access points Ive tried to set up havent been working. I'm clearly missing some important piece of it. Maybe that piece is vlans? Other posts on here seem to steer me towards having multiple bridges?
the problem is, all the articles on vlans on Mikrotik I have found are describing doing them with multiple devices to extend the topology of one area to another. Despite the big switch the traffic on my little home lan is very modest, a few phones, lots of work related ssh traffic, some video watching, some phones, some raspberry pis and internet connected toothbrushes, toasters, toilets, etc. etc. (just kidding)

As far as a value for money, the little Hap Lite is a spectacular deal.

My problem is, I can only experiment at night and on weekends. Literally when another household member, a heavy user of Internet services, is sleeping.

its good to have the ability to use a script to revert to the previous config if it doesn't work!

(I've answered a lot of my previous questions by reading the wiki.. thats a good example of one of them) Still, this particular area could be covered better. Its not clear enough from a new user perspective which approach is better for what.

Indeed VLAN is Virtual LAN ... imagine you want to have two separate LANs (perhaps some routing between them, but that's next step). If limited to use real hardware and dumb ethernet switches, you'd run two ethernet cables in parallel on certain connection paths (e.g. between different distribution switches or between routers and switches). Using VLANs enables you to use one physical interface/connection (i.e. port on switch and/or UTP cable) but still have separation between the two LANs.

Let's say you need two separated LANs. If I was you, I'd start with configuring two VLANs on your managed switch with, for example, VLAN IDs (VIDs) 10 and 20. Then you dedicate some ports on the switch to each logical LAN by configuring them to be untagged/access ports for a given VLAN, for example ports 5-14 are configured with VID=10 and ports 15-24 with VID=20. At this point the both VLANs are separated and a device, connected to switch port 10 can not communicate with device, connected to switch port 20.
Then you configure switch port number 1 as tagged/trunk port and configure it to be member of both VLANs. This port will be used to connect switch with RB.
Next step is to configure RB. you first need to configure at least one port on LAN side of RB (e.g. port ether5) to be trunked port with same two VIDs (note that at least on my device, ethernet switch ports are enumerated starting with 0 being ether1): Be sure you include pseudo-port named switch1-cpu to any VLAN port list where you need to pass packets to router's CPU - and that's needed there's need for routing for a given VLAN.
Default configuration is to have all LAN ethernet ports on RB (mostly that's ether2-ether5) members of single bridge. My experience is that you don't need to reconfigure bridge for use with VLANs, however you might want to configure the rest of LAN ports to be untagged/access ports for one of VLANs, for example: In this case you can connect some device to one of those RB ports and have it become member of a given VLAN in the same way as if it was connected to appropriate port on switch.

Then you need to add a special network interface so that router can deal directly with packets in VLANs:
At this point every device in VLAN ID=10 can communicate with any device in VLAN ID=20. However, you need to set-up the usual IP routing details on devices (such as making your RB default router for those devices). If complete openness for communication between the two sub networks is not desired, you would define some /ip firewall filter to limit cross-connectivity only to allowed cases.

If you have to connect some device, which is capable of dealing with VLANs and it needs to be connected to more than one VLAN at the same time, that's possible as well. One example of such a device would be a Linux server which serves more than one VLAN. In this case you need to configure appropriate ethernet port on switch or RB to be mixed port - such port accepts either VLAN tagged packets and untagged as well, making it hybrid metween trunk port (dealing with tagged packets) and access port (the untagged ports). The configuration of such a port is similar to this: The difference between this setup and similar section higher in this post is that the same port, which has one default-vlan-id setting, is listed as member of more than one VLAN. Meaning that for the VLAN, set as default, this port is acess (untagged) and for the rest it's trunk (tagged) port.

On the device then you set up additional IP address for each tagged VLAN, on Linux is quite simple: It's exactly the same as configuring normal ethernet interface, the only difference is in the name of interface, where you append VLAN ID after device name with a dot in between (in teh case above that's ".20" for VLAN ID 20).

The benefit of such device configuration is that all the traffic between devices in the "secondary" VLAN and the server only traverse switches, which is mostly done wire-speed. Without it, the traffic would pass router CPU which is mostly quite a bit slower. On the other hand, passing through router gives you possibility for some filtering. E.g. you could only allow connections from certain devices or even to some certain services (such as http), which can not be done with VLAN-based configuration.

Metod, thank you for this help.

Re using two 100Mbps ethrrnet ports to double the speed: it can be done, it's called bonding or link aggregation or ... There is plenty of information available, both general as well as Mikrotik specific ... to get some idea how to get around ...

Beware that bonds on RBs are handled in SW, so if you drop a bond into the mix, configuration becomes quite different from what I described ... and hw acceleration is lost, most of operations then involve RBs CPU ... which might become a bottleneck.

I am going to put that into a separate post, sorry for editing post-post, it just seemed to be off topic.

Basically after reading other posts and thinking about it despite the fact that the three virtual wlans' vlans I am setting up dont need to be brought out to the 24 port switch, having extra jacks *there* makes it much easier to troubleshoot them. having them available to plug into to see what is going where would be super helpful, so I think I am going to do that.

Also another vlan for logging, and another one for monitoring the DMZ.

Thank you for the code snippets!

.....

Three Vlans for the Elven-kings under the sky,
Seven for the Dwarf-lords in their halls of stone,
Nine for Mortal Men doomed to die,
One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.
One Vlan to rule them all, One Vlan to find them,
One Vlan to bring them all and in the darkness bind them

......

My old switch demand that I use IE to access its web interface, but that seems to be impossible, as none of the versions of IE I've tried seem to work.

So I will just use the command line and keep everything very simple.