After spending a couple days watching tutorials and reading stuff about all the wonderful things mikrotik routers can do for one's life, and after purchasing a hap ac2, I have realized that my home router provided by my isp does not do bridged mode. I have spoken to them, the isp lot, and they say it can't be done because they have flashed a special rom that does not support bridging. So I'm stuck with that device, whether I like it or not. I can disable the dhcp server, change the ip address, and other pretty basic stuff.

Could somebody please point me in the right direction to setting up my mikrotik?

What I want is to have three vlans at home. One for trusted devices (my computer, nas, vpn, etc...), one for my children (with a pihole on it), and another for untrusted devices (smart tvs, alexa, ip cameras, IoT, etc...). But they should all have internet access through the limited router provided by my isp. How hard is that for a newbie?

My setup is:

ISP ROUTER <--> Mikrotik hap ac2 <--> Switches around the house that support vlans connected to things

Thanks a lot.

The hapac2 is still good to use.
Think of it as getting a private IP from your ISP vice a public.
Decide what IP you want the WANIP to be on the hapac2 and create an IP address for it with interface ether1 (assuming ether will be connected to our isp router).
The only issue will be if you need to forward ports, then you will need to forward them twice, once from the ISP router to the WANIP of your router and then internally on the hAPAC2.

Thank you.

As a parent and worker, I have little time to play. This router is very complex, and is going to require quite a bit of time. So patience is going to be necessary.

Using the quick setup, setting the internet section to automatic, I could get internet in the entire house. But setting up all the vlans, setting up the bridges, and everything else is going to be a big big challenge for me.

IF I get it going, I might post the step by step process here.

Doesn't anybody have a step by step process already?

Cheers!

RouterOS is so versatile that there isn't a one-for-everybody way of doing things. ROS has a steep learning curve, but when you get over the initial steep part, it becomes all pleasure.

My advice: start from foundations. On drawing board. First plan the physical connections (wireless as well). On top of physical connections come VLANs. On top of that comes everything else. BTW, this has to be done with any equipment vendor, not just Mikrotik.

Worth to read: a very good tutorial on VLANs in ROS and explanation about different bridge functions (you'll run into dilemma why the heck bridge is treated in different ways).

Another advice: keep default firewall setup intact as far as it goes. It is pretty solid to start with, you'll only have to make minor adjustments to make it fit your VLAN layout.

Thank you very much for the advice. I'll get to it as asap.

If all your switches are VLAN aware, you can make things (a little) simpler by making all wired ports trunk ports, which carry all VLANs tagged.
The second post in this thread will help with the basics: viewtopic.php?t=143620
I say this makes things a little easier as you don't need to differentiate between which physical ports are tagged and untagged, and you don't need to configure additional PVIDs for untagged VLANs.
Also, remember to always add the Bridge interface to the VLAN too, normally tagged. That's caught me out a few times and led to frustration when I've done a dumb and forgotten

Treat the WiFi as a separate interface, and add it to the bridge one the wired ports are working, using the 3rd post in the thread above.

And my learned colleagues have said previously, draw a diagram and mark physical links, wireless links, IP addresses and DHCP scopes on it, and mark them off as you configure them.

Dont be shy about posting your config here if not sure about settings..........
/export hide-sensitive file=anynameyouwish

and use the code tags to keep it small (black square above with white square brackets)

Thank you for being so friendly. And yes, I'm shy and a bit embarrassed I got myself into such a complex mess.

But I have good and bad news. The good news is that my ISP provider, in response to my question about my router not being capable of doing bridged mode, yesterday a guy turned up at my place to change my router. I now have a huawei gpon modem that only works in bridged mode. That's nice of them.

The bad news is I now don't have any internet at home.

So, I guess I should start from the very beginning. I have tried to reset my hapac2, with weird success. After a few failed attempts using the reset button, I finally got it to reset. I could not access from linux, I had to boot into windows and use winbox, that worked. I suppose I'm missing some silly detail somewhere.

I'll start by drawing my desired setup as you suggest.

This is my desired setup. But just getting the begging first is number one priority: get internet working.

The rest is pretty straight forward, ideas I got from the internet.
Wifi 1 for guests, 2 for kids and 3 for me and my wife.
Vlan 1 for cctv, no internet access. (Cheap stuff, spying cameras, might be used for attacks like distributed DoS, etc...)
Vlan2 for untrusted stuff like Alexa, smart TVs, etc...
Vlan 3 for kids, with a pihole to restrict undesired content.
Vlan 4 for my wife and me.
Vlan 5 for guests.

Maybe a lot of this is unnecessary but I think it can be very educational to get it up and running. I also have a vpn server, a nas server, a ftp sefver and a print cups server. I am still wondering where to put these. I guess the vpn should be on vlan4, to access my private stuff from outside. But the nas and print server should be accessed by me, and my kids who would also have a user account on the nas. I'm thinking this is going to be complex to setup. Up until now, I had this all working on one same network. But as my kids started watching things I didn't like, I am in the need to improve my networking skills.

Thanks.

Ok, that's completely doable.

Let's start with the wired bits first. With the router connected to the GPON, do you have a connection to the internet? You will likely need to set up a PPPoE connection on the interface connected to the GPON. When you can ping 8.8.8.8 and google.com from the router, you know that is sorted.

Then use 3 ethernet ports as trunk ports to your three VLAN aware switches, with all VLANs tagged. The thread at viewtopic.php?t=143620 has the sample config to configure this. Make sure you have IPs, IP Pools and DHCP Server Network and DHCP Server for each VLAN configured.

Once you have this, it's a simple case of setting a data path for each SSID to tag it's traffic with the appropriate VLAN ID.

The final step is firewalling each VLAN appropriately.

Dont use vlan #1, that is the default on the bridge and on most switches etc.

Just use
vlan10
vlan11
vlan12
vlan13
etc.......

Also decide which vlan is your management vlan as you are the admin,, sounds like your vlan 4 (or vlan14) would suffice......