Is it possible to make wlan interface member of several VLANs?

What I need is make wlan interface VLAN aware, have one VLAN ID for all ingress packets and be member of multiple VLANs for egress packets. All packets, transmitted over RF, shall be untagged ...

My setup is such that LAN is built around a managed switch and divided to a few VLANs. "Normal" LAN machines are members of one VLAN (e.g. default VLAN ID = 100) while GW to internet is member of two VLANs (e.g. default VLAN ID = 105, additional VLAN ID = 100). If some LAN computers are allowed to "speak" to GW, their corresponding switch ports are made members of VLAN 105. All LAN machines and GW don't know about VLANs, hence their corresponding switch ports are "access" ports.

What happens is that ingress packets from LAN machines get tagged with VLAN ID = 100 upon entering ethernet switch. As GW is also member of VLAN 100 packets get delivered to it as well. Likewise all ingress packets from GW get tagged with VLAN ID = 105. Only machines whose switch ports are members of VLAN 105 get GW packets delivered.

My RB951G-2HnD is connected to ethernet switch trunk port, receiving VLAN tagged packets. I've made wlan member of VLAN 100, wifi clients can talk to other LAN machines. However, they can not use internet as replies from GW are not handled by wlan interface.
Please note that any packet transmited over the air (WiFi) should be untagged (both ingress and egress). Just the way it can be done on wired ports.

Any idea?

It sounds like you're using hardware switch features as a type of layer2 security feature....

Unfortunately for you, the hardware switch is just that - it doesn't also include the wlanX interface(s) of your router. Only the cpu-based bridge feature can connect the wlan interface to the hardware switch at layer 2. I've peeked through the bridge filter actions, and nothing appears to be able to manipulate vlan tags - it can match them but no action says "set vlan tag" or "remove vlan tag"

The only crazy thing I can think of is to put two vlan interfaces on the bridge, one for vlan 105 and one for vlan100 and make another bridge that connects to both vlan interfaces, and be sure to put a split horizon value on the vlanX ports of this second bridge... then attach wlan1 to this second bridge (no horizon value on the wlan interface)

What's the goal you're accomplishing by using these vlans? Big-picture version of the goal like "I want some hosts to reach the Internet but others to be local-only" is what I'm looking for. It really sounds like separate LANs with different IP ranges and a couple of filter rules would be much easier to accomplish.

What's the goal you're accomplishing by using these vlans? Big-picture version of the goal like "I want some hosts to reach the Internet but others to be local-only" is what I'm looking for. It really sounds like separate LANs with different IP ranges and a couple of filter rules would be much easier to accomplish.

You're right on, that's what I am already accomplishing with all these VLANs. Things are slightly more complicated (4 VLANs in use right now), but it does its job ... allowing me to define who can connect to who. Sure it can be done with plenty of L3 routers, but that's an overkill for a modest home LAN.

I'm trying to add a RB951 into the mix as I'd like to have WiFi with two different SSIDs, traffic separated to two different VLANs, one for full LAN (and internet) access, other for guests (internet only). Your suggestion about VLAN interfaces does seem worth thinking over. As I'm new to RouterOS it'll take some time for me to figure out how to set things properly.

Well, you could probably skin this cat by using VAPs instead of putting an SSID on the main wlan interface - because VAPs support a vlan tag - and this means a tag on the wired side, not on the wireless lan.

The vlan interfaces are basically conduits to the CPU of the router just like any other physical interface. The "back" of the interface is the CPU, and the "front" of the interface dumps traffic onto whichever physical interface it's connected to. It listens on the media for frames having whatever tag is set in vlan-id (e.g. 105) and whenever it sees one, it picks up the tagged frame from the media, removes the tag, and kicks it up to the CPU. If the vlan interface is connected to a bridge as a port in the ports menu, then the newly-stripped frame will be placed on the bridge and forwarded however the bridge needs to forward it.... if there is no bridge, you could put an IP address on the vlan interface, for instance, and that would cause the Mikrotik to participate in the VLAN directly.

If you build the VLAN interface with the bridge as the physical interface, then what happens is that frames coming from the CPU out the vlan interface will be placed onto the bridge with a vlan header attached.

If you wanted tagged traffic on a wlan, for instance, you could add a vlan interface to the wlan1 interface - that would spit tagged frames onto the air waves, and listen to the air waves for tagged frames.... obviously that's not what you want here, but I thought I'd throw that in as an example to further illustrate the function of a vlan interface.

The horizon value I mentioned earlier is important in the "oddball" bridge idea - because it stops frames from entering on vlan100 and going out on vlan105. Nothing received on 105 may go out on 100, and nothing received on 100 may go out 105 - only wlan1 may send/receive from those vlans in this bridge.

What I need is make wlan interface VLAN aware, have one VLAN ID for all ingress packets and be member of multiple VLANs for egress packets. All packets, transmitted over RF, shall be untagged ...

I'm a little confused by your description of tagging and un-tagging, but assuming you are asking "can I trunk VLANs to the AP and have each VLAN mapped to a separate wireless lan" : yes, this is easily done. It is how I set up my APs. Proceed as follows:

1. Define several virtual APs on the wlan interface, each assigned a different SSID.

2. Define several vlan interfaces on the lan side, one for each vlan you want to handle, with the appropriate tag values.

3. Define several bridges in RouterOS (not switches). Assign one of the virtual AP interface, and the vlan wired interface defined above to each bridge (one bridge per vlan).

It is step #2 that takes care of the tagging/untagging between the trunk port and the virtual AP lans.

I'm a little confused by your description of tagging and un-tagging,

I only recognized what he was doing because I'd taken over some hotspot networks at a condominium, and the previous provider had done something similar using Dell switches.

Basically, he's using vlans as a way to do host isolation. Everything's pretty much a flat IP network (I'm guessing - he may have two or more actual IP networks as well) but basically what he's doing is adding multiple untagged vlans to individual ethernet interfaces, so they'll transmit the broadcasts/unicasts originating from several vlans, but the ingress frames from hosts on those interfaces will always be considered to be only one certain vlan, thus these hosts may only transmit to other hosts whose interfaces are "subscribed" to that vlan. He's leveraging this behavior as a security mechanism.

Personally, I avoid such configurations because it's hard to grasp for new admins; it's not a kind of configuration that's supported in all vendors (I can't think of a way to accomplish this in Cisco, for instance - perhaps vlan translation rules?) ; and it can be hard to troubleshoot.

@ZeroByte is right and I couldn't describe what I'm doing so well.

I happened to get one d-link managed switch and later found out that it supports this kind of VLAN mess (it seems logical to me now that I'm used to it though). I hit the wall due to differences in how VLANs are treated by different vendors or even by single vendor in different parts of their portfolio - I'm not sure but it seems to me that switched ethernet ports on RB951 can behave smilarly to d-link switch I have, but not wlan interface.

I've tried the idea about adding a few VLAN interfaces and building another bridge on top of them ... couldn't get that working (yet).

One question: @dboreham explained that step #2 takes care of tagging/untagging. Isn't wlan interface supposed to do that ... there's possibility to assign VLAN ID to wlan (and virtual AP interfaces as well). If that's not the case, what is VLAN ID definition on AP port good for?

Honestly, I'd recommend that you just break your network into separated logical networks based on security policy- it will be so much easier to manage and troubleshoot, and you won't have to juggle vlan tags this way.

internet -> dmz = specified ports OK, rest = drop

guest lan -> internet = ok
guest lan -> everything else = drop

lan -> dmz = ok
dmz -> internet = ok
dmz -> lan = drop

But that's just my humble $0.02's worth.

... there's possibility to assign VLAN ID to wlan (and virtual AP interfaces as well). If that's not the case, what is VLAN ID definition on AP port good for?

That's relatively new feature. Lets say you have vlan trunk on ether1 with vlans 10, 11 and 12. You can simply bridge together ether1 and wlan1, then set vlan id for wlan1 to 10 and all wireless clients will by default go into vlan 10 (it will work as untagged access port). And then you can use wireless access list to put specific clients to other vlans. And it can be all done with just single ssid and without need to define any vlan interfaces on ether1.
Or if you want multiple ssids (I did not test this, but I think it would work) you could bridge above ether1 (with vlan trunk) with wlan1 (with vlan id 10), virtual wlan2 (with vlan id 11) and virtual wlan3 (with vlan id 12) all together and things would be nicely separated. And all that with just single bridge.

How much useful it can be for you, I'm not sure, because I'm a little lost in your description. If I understand it correctly, you need (some) wireless clients to belong to more than one vlan. I think there's no shortcut for that and you would need some multi bridge/horizon magic as described by ZeroByte in his first post.

if you want to selectively tag with corresponding VID the traffic of wlan clients when you put that traffic on wired network you need to use radius

One question: @dboreham explained that step #2 takes care of tagging/untagging. Isn't wlan interface supposed to do that ... there's possibility to assign VLAN ID to wlan (and virtual AP interfaces as well). If that's not the case, what is VLAN ID definition on AP port good for?

I think it does the exact same thing. It may have been added as a feature with the fast path, I'm not sure. It post-dates me figuring out how to do vlan bridging to virtual APs.

I've decided to "flatten" my VLAN setup and introduce a L3 router between different (security induced) parts of my LAN. My original dilemma/question is therefore now nonexistant.

I want thank to all of you for all the information and suggestions!