====== Mikrotik RouterOS VLANs and Wifi ======

for hapax²

by Claude

Step-by-Step Setup
1. Plan Your VLANs

VLAN 10: Main network (192.168.10.0/24)
VLAN 20: Guest WiFi (192.168.20.0/24)
VLAN 30: IoT devices (192.168.30.0/24) - optional

2. Create VLAN Interfaces
<code>
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
</code>

3. Configure Bridge VLAN Filtering
First, enable VLAN filtering on your bridge:
<code>
/interface bridge
set [find name=bridge] vlan-filtering=yes
</code>

Then set up VLAN membership:
<code>
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 vlan-ids=30
</code>

4. Assign IP Addresses and DHCP
<code>
/ip address
add address=192.168.10.1/24 interface=vlan10-main
add address=192.168.20.1/24 interface=vlan20-guest
add address=192.168.30.1/24 interface=vlan30-iot

/ip pool
add name=pool-main ranges=192.168.10.100-192.168.10.200
add name=pool-guest ranges=192.168.20.100-192.168.20.200
add name=pool-iot ranges=192.168.30.100-192.168.30.200

/ip dhcp-server
add address-pool=pool-main interface=vlan10-main name=dhcp-main
add address-pool=pool-guest interface=vlan20-guest name=dhcp-guest
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.30.1
</code>
5. Configure WiFi Networks
For the hAP ax2, you'll configure separate SSIDs:

<code>
/interface wifi
# Main WiFi
set wifi1 configuration.ssid="YourMainSSID" security.authentication-types=wpa2-psk,wpa3-psk security.passphrase="YourPassword"

# Guest WiFi - add a virtual interface
/interface wifi add master-interface=wifi1 name=guest-wifi configuration.ssid="GuestWiFi" security.authentication-types=wpa2-psk security.passphrase="GuestPassword"
</code>

6. Assign WiFi to VLANs
<code>
/interface bridge port
set [find interface=wifi1] pvid=10
add bridge=bridge interface=guest-wifi pvid=20
</code>

7. Firewall Rules for Guest Isolation
<code>
/ip firewall filter
# Allow guest to access internet only
add chain=forward action=accept in-interface=vlan20-guest out-interface=ether1 comment="Guest to WAN"
add chain=forward action=drop in-interface=vlan20-guest comment="Block guest from other VLANs"

# Allow established/related connections
add chain=forward action=accept connection-state=established,related

# Optional: Block inter-VLAN access
add chain=forward action=drop src-address=192.168.20.0/24 dst-address=192.168.10.0/24
add chain=forward action=drop src-address=192.168.20.0/24 dst-address=192.168.30.0/24
</code>