Community discussions

MikroTik App
just joined
Topic Author
Posts: 2
Joined: Mon Jan 24, 2022 4:00 pm

Wireless Networking (Router-APs topology)

Mon Jan 24, 2022 4:11 pm

Hi everyone!

I'm new to MikroTik routers and APs (and wireless networking specificaly) and I was wondering if I can create a wireless network using the MikroTik RB750Gr3 hEX (wich has no wireless adapters) as my main router and some APs (such as Access Point MikroTik SXTsq 5 ac, for example) by connecting the APs to the RB750Gr3.

My objective is to separate the LAN from the WLANs, creating some separation between them and to create more than one wireless network (secure, guest, and maybe one for IOT).

The question is, can I achieve my objective with these devices?

Sorry if this is a bit basic, but I'm kinda new to wireless networking and I'm a bit overwhelmed with all of the options.
Thanks in advance!
User avatar
Forum Guru
Forum Guru
Posts: 11713
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Wireless Networking (Router-APs topology)

Mon Jan 24, 2022 6:12 pm

Yes, since you are a new person,,, some reading is in order.
To handle your requests the easy way is to use vlans to separate the different LANs from each other (at layer2).
Then we ensure using ip firewall rules that the vlans cannot talk to each other.
(dont use capsman either, its not required and adds complexity and overhead that is not of any value to you at the moment)

This reference has the link for vlans, how to configure the MT device as an AP/switch which supports/compliments the link for vlans, changing the default firewall rules to something that is still very simple but cleaner and better, and finally how to safely configure the MT router OFF bridge ( the default comes with a bridge setup).

So in order, recommend reading and executing the following steps............
1. (a) Configure Off Bridge first for the router.......
(b) Consider configure AP OFF bridge as well, using a vWLAN Secure 5ghz1-WLAN1, Guest 5Ghz WLAN2, IOT-vWLAN (parent-WLAN2), OFF BRIDGE - OFF-vWLAN (parent WLAN1)
2. Then modify firewall rules
3. Then add vlans on MT Router etc.
4. Then configure AP/switch device


If you do take this approach any feedback to improve the documents or process would be much appreciated.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
just joined
Topic Author
Posts: 2
Joined: Mon Jan 24, 2022 4:00 pm

Re: Wireless Networking (Router-APs topology)

Tue Jan 25, 2022 11:31 am

Thanks for your help, I really apreciate it! I will follow your guide and try to implement it and I will give you feedback! Another question (that may sound kinda stupid), can the APs be from another brand? I read somewhere that it would only work with mikrotik APs, but it didn't sound right to me (or maybe it was just for capsman idk).

Again, thank you for your help!
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: Wireless Networking (Router-APs topology)

Tue Jan 25, 2022 12:37 pm

APs can be different brands, after all they only act as converters between ethernet and wifi.

The nice thing of using gear from single vendor is that many vendors offer software (or service) which enables centralized management. E.g. if you have 5 APs, without centralized management you have to configure SSID, PSK and what not on each of them individually. Also software upgrades have to be done manually on each individually. With centralized management you can configure things centrally (and once for all), also software upgrade can be semi-automatic.
Mikrotik does offer such a solution (CAPsMAN) and the great thing about it is that it actually runs on your router (can be wireless-less) if you use Mikrotik as main router. Some vendors require dedicated appliance (or virtual machine) to host the management part of solution.
User avatar
Forum Guru
Forum Guru
Posts: 11713
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Wireless Networking (Router-APs topology)

Tue Jan 25, 2022 2:04 pm

Now that the theory has been eloquently waxed into the ear drum, a dose of reality check.
Capsman is the best ive seen AP managment control software.
MT wifi is some of the poorest home wifi I have ever seen. The lastest newest gizmos audience and capacXL may actually meet what other vendors have been doing on wifi 5 for five years.
Thus, capsman makes admins happy but who the PHUCK cares if the customers and family are not happy :-)
When MT provides capac6 and preferablye 6E, I will be buying it right away and learning capsman..........but until then not a sweet chance I will look at it or promote it on the forums.

Now back to your question, yes I use both the capac (mainly so I can help others) and TPLINK models that are vlan capable and they work great with MT devices. Easy to configure, they work and follow standard vlan usage (unlike ubiquiti products which are just weird).

Here is my setup for my capac.........
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=cerv49 vlan-id=49
add interface=bridgegym name=homeVlan vlan-id=11
add interface=bridgegym name=mediaVlan vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=management
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address=xx.xx.xx.xx  master-interface=mediaWlan multicast-buffering=disabled \
    name=testaccess security-profile=testprofile ssid=capacbackdoor wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=11
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=11
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface detect-internet
set detect-interface-list=management internet-interface-list=management lan-interface-list=management
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
add interface=testaccess list=management
/ip address
add address= interface=homeVlan network=  comment="IP of capac on trusted subnet"
add address= interface=emergaccess network= comment="ether2 access off bridge"
add address= interface=testaccess network=  comment="vWLAN access off bridge"
/ip dns
set allow-remote-requests=yes servers= comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address= gateway= comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=y.y.y.y/24,z.z.z.z,s.s.s.s
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: own3r1138 and 25 guests