Hello,

I have a Windows PC with and some Hyper V virtual machines configured. The PC is connected to Mikrotik with wireless connection.

The Hyper V machines are connected to the wireless NIC to be able to access the internet. Are on the same subnet as the PC. I would like to isolate virtual machines but have access to the internet.

Hyper V manager can assign VLAN IDs to the clients. I can solve the issue by creating two subnets, one for the Hyper V machines with tagged packets and the other subnet untagged. I need to have an untagged subnet for the other devices such as mobiles.

Is there a way to use one SSID with one untagged and one tagged subnet.

Standard 802.11 (a.k.a. WiFi) doesn't foresee using VLAN tags over radio. Mikrotik does support sending those headers (with some smart configuration). It also supports delivering frames of different SSIDs (i.e. virtual WLANs) into different VLANs.

But then there's the other end: windows machine with its wireless drivers and the whole HyperV machinery. And windows is known to make some things harder than they need to be.

Is there a way to use one SSID with one untagged and one tagged subnet.

You can do that with an ACL. But you have to know the MAC address of anything that you want to tag outside of the default VLAN on the SSID.

Thanks @gotsprings

The access can be limited with Hyper V access list, can be used either IPs or MAC addresses. Below is an example.

Show the configured ACL rules Allow access to public IPs and block access to subnet 192.168.0.0/16.
Remove the ACL rules