First of all, thank you for all your help, much appreciated !
Regarding network topology - it may appear complicated but, actually, it's very simple:
1. Main router CCR2216
2. 10-15 APs, all doing the same thing and configured in the same way, all of them Mikrotik.
3. Few switches in-between, to provide PoE to APs and surveillance cameras and to connect them (and 4-5 PCs, few printers) to CCR2116. Most of them Mikrotik.
4. Main subnet 192.168.0.0 - all physical LAN connectors connect to that network. All APs with main SSID are in that subnet. No restrictions regarding speed, access, etc. Main WAN for this subnet is "WAN2 (Optics)-ether2" with failover to "WAN1 (vDSL)-ether1".
5. Guest subnet 192.168.4.0 - All APs with virtual SSID are in this subnet. Restrictions regarding speed, access only to internet, nothing else. Main WAN for this subnet is "WAN1 (vDSL)-ether1" with failover to "WAN2 (Optics)-ether2".
6. Private-guest subnet 192.168.6.0 - All APs with second virtual SSID are in this subnet. Restrictions regarding speed (differ from first vlan), access only to internet, nothing else. Main WAN for this subnet is "WAN1 (vDSL)-ether1" with failover to "WAN2 (Optics)-ether2".
7. "WAN3 (LTE-5G))-ether3" is currently disabled, not in use. It was used as second failover for all 3 subnet in case of both WAN failure.
And that's it.
.
.
CCR2116 Observations[/u]
-Dont use bridge for dhcp
I'm not sure that I understood you correctly. Bridge is my private network, I also access it over wifi, not just from manual IP-assigned computers.
.
.
-Lacking some basic structure such as interface list and members.........
Never bothered to use those.
.
.
-Where are your /interface bridge vlan settings???
Is it mandatory to put main subnet (bridge) into vlan ?
.
.
- diagram does not detail which ports coming out of CCR216 are going to which device and carrying which subnets!
As mentioned above - all ports are exclusively part of main 192.168.0.0 subnet.
.
.
For an internet facing router, your firewall rules are very weak and incomplete ??????????????.
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward connection-state=\
established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=\
private-guest-vlan
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=\
guest-vlan
Hmm, apart from the rules above - what else do I need ? The ones you wrote below ?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Assumes sfp plus ports are going to zyxel/brocade,csr3051G and Netgear.
Other ethernet ports are going to hapac,hapac2,hapac3, basebox2, hexpoe, crs112
The netgear is unmanaged thus not sure how to best setup..so disabled for now.
Correct.
Brocade and Zyxel are disabled at the moment, un til I figure out how to congifure them properly. When configured they will be connected to CCR2116 via SFP+ ports.
All other ports on CCR2116 are for APs directly, PCs directly or MT switches that have APs connected to it.
.
All APs, including Basebox have all 3 SSIDs (trusted/mine, guest and private guest)
ether 11 - yes, plans was out of band managment. Currenty, it's part of the bridge.
Thank you once more !