Hi, As you can see in my picture I want to configure 3 VLANS and on my Firewall I have allso 3 VLANS.
I want that each VLAN use his own Gateway on the firewall
How do I configure this?

On the Mikrotik I have configured 3 Virtual AP's on WLAN1.
I some wired computers on Ether 2 (VLAN id 1)
Ether 1 is connected to an switch (Cisco) and in the Cisco I configured Tagged and untagged VLANS

The question would be clearer if you could mark the diagram with where each VLAN is to be tagged or untagged. e.g. Cisco trunk ports using 802.1q by default have VLAN 1 as the native (untagged) VLAN.

The Cisco is not the problem
But I don't know how to configure the mikrotik

De Cisco has ID 1 untagged en ID 10 and 20 Tagged on the port that is connected to the Mikrotik and the Firewall

Deleted because not related.

What do you want at Ether 2 on the RouterBoard? Untagged or tagged?

If you have the option of using three tagged VLANS coming from the Cisco I would do so - it allows a cleaner config on the RouterBoard.

De Cisco has ID 1 untagged en ID 10 and 20 Tagged on the port that is connected to the Mikrotik and the Firewall

The VLAN ID1 at the MikroTik is the problem.
VLAN ID1 must be untagged and the VLAN ID1 on virtual AP must be tagged.

In normal terms and conditions where you are setting up a VLAN (Switch to endpoint or router to endpoint) it is untagged
but between two swicthes and/or switch to router it must be tagged.

A VLAN at a WLAN AP with only one SSID is even untagged but with Multi SSIDs it must betagged.

Thanks for your reply.
I want three Virtual AP's on the Mikrotik And don't use the WLAN1 itself but only the virtual AP's
So How do I have to do this (in command line)?
I don't see tagged or untagged options in the Mikrotik. So don't know how to do this and creat this.

To access the tagged VLANs coming from the Cisco you need to create VLAN interfaces under /interface/vlan and assign them to the Ether port connected to the Cisco with the correct VLAN IDs. Then create the same number of bridges and add both the relevant VLAN interface and the corresponding WLAN (Virtual AP) interface in pairs as ports to the bridges.

i.e. you create VLAN interfaces and then bridge those interfaces to the Virtual AP interfaces.

Deleted because not related.

@CelticComms

i.e. you create VLAN interfaces and then bridge those interfaces to the Virtual AP interfaces.

Is there another way without bridging the interfaces and using a routing method?

Yes it would be possible but if there is no requirement to route bridging is more efficient.

Deleted because not related.

Hi,
The VLANS, BRIDGES and Port to BRIDGES are ok now I think but now the right routes for the VLAN's How do i do this?
I want that each VLAN use it's one gateway.

This is what I have:

# Add bridges
/interface bridge add name=BR-LAN disabled=no
/interface bridge add name=BR-GAST disabled=no
/interface bridge add name=BR-MOBILE disabled=no
/interface bridge add name=BR-TRUNK disabled=no

# add vlan's
/interface vlan add name=VLAN-TNW.LOCAL vlan-id=1 interface=ether1 disabled=no
/interface vlan add name=VLAN-GAST vlan-id=10 interface=ether1 disabled=no
/interface vlan add name=VLAN-MOBILE vlan-id=20 interface=ether1 disabled=no


# Add virtual-ap
/interface wireless add master-interface=wlan1 ssid=TNW.LOCAL security-profile=TNW.LOCAL name=VAP-TNW.LOCAL disabled=no
/interface wireless add master-interface=wlan1 ssid=GAST security-profile=GAST name=VAP-GAST disabled=no
/interface wireless add master-interface=wlan1 ssid=MOBILE security-profile=MOBILE name=VAP-MOBILE disabled=no

# Add ports to Bridge
# Bridge BR-LAN
/interface bridge port add interface=ether2 bridge=BR-LAN disabled=no
/interface bridge port add interface=ether3 bridge=BR-LAN disabled=no
/interface bridge port add interface=ether4 bridge=BR-LAN disabled=no
/interface bridge port add interface=VAP-TNW.LOCAL bridge=BR-LAN disabled=no
/interface bridge port add interface=VLAN-TNW.LOCAL bridge=BR-LAN disabled=no
# BR-GAST
/interface bridge port add interface=VLAN-GAST bridge=BR-GAST disabled=no
/interface bridge port add interface=VAP-GAST bridge=BR-GAST disabled=no
# BR-MOBILE
/interface bridge port add interface=VLAN-MOBILE bridge=BR-MOBILE disabled=no
/interface bridge port add interface=VAP-MOBILE bridge=BR-MOBILE disabled=no
# BR-TRUNK
/interface bridge port add interface=ether1 bridge=BR-TRUNK disabled=no
/interface bridge port add interface=ether5 bridge=BR-TRUNK disabled=no

# IP toewijzen aan BR-LAN
/ip address add address=192.9.201.243/24 interface=BR-LAN

# IP toewijzen aan BR-GAST
/ip address add address=192.9.210.1/24 interface=BR-GAST

# IP toewijzen aan BR-MOBILE
/ip address add address=192.9.220.1/24 interface=BR-MOBILE

I'm not sure what you mean by "right routes for the VLANs". How are you providing IP numbers to the wireless clients? If you have an upstream device doing that then it would set the gateway as required. If you want the routerboard to do that you would have to attach DHCP servers to the VLAN bridge interfaces.

Deleted because not related.

Perhaps you were in a thinking trap or false?
Perhaps you mean each VLAN should having or owning his own subnet?

At the routing device it should be created in my eyes.
- If the Managed Switch is a Layer3 one, you can do it from there.
- If the Managed Switch is a Layer2 only Switch, you "must" or better should do it at the Firewall.

http://postimage.org/image/5qna7fi89/full/

Hi but if I use the firewall as routing device I cant use hotspot on the Mikrotik is it?

Deleted because not related.

Hi, Thanks for your reply.
Yes of cource you have a point and yes you are right.
But let me explain what I'm doing.
I build a test enviroment with 20 users.
I use the RB951G-2HnD (because it is cheap and ok for the test.
If it works we will work it out in our production enviroment.
But it is crisis time and it is hard to get budget for a test enviroment so I try to do it this way.
I'm new with Mikrotik so must first have a good feeling with it and I must test if it is working.
Than I can go to the management and tell them I need more and bigger hardware to build it in the production enviroment.

Other question. The pictures you make are verry nice. What progamm do you use?
I like it verry much and want to try that allso.

Deleted because not related.

Wow Dobby,

Great tips.
Thanks a lot.
These books, where can I buy them??

Maybe I ask you alter for some advise for the routing device.
I want to test what I draw in the picture at the start of this topic.
But You told me it is much better to let an other device do the routing.
If want want to use usermanager with wifi (for guests and 2 oterh vlans for wifi with DHCP.
What must I do?