You don't
have to use VLANs for a guest network.
Here is an example configuration that I put together today on a hAP ax2. This box is added to an existing network with Draytek router, and acts as WiFi access point for private network, a switch for till in coffee shop, and guest-wifi that is firewalled and NATed.
Of course if you have the Mikrotik as your only router then you will need to do things a little differently.
(Also, this is a single-AP solution. I imagine things would need to be different if using more than one AP. I did set that up (with VLANs over a single ethernet cable between cAP ax and hAP ax2 - I wrote/ranted about that a few months ago
). I think the things that have caught me out in the past are that the 'datapath' needs configuring on the CAP, and also the 'slaves datapath' again must be done on the CAP, not capsman)
It puts guest wifi in a subnet and does NAT /masquerade for guest wifi. You can see the 'masquerade/srcnat' rule is matching on src-ip = 192.168.200.0/24.
There is a firewall rule to block 192.168.200.0/24 -> 192.168.0.0/16 (any 192.168 class C. This should probably be amended to suit 10.x.x.x/8 and 172.16 etc if needed)
For private WiFi, it does no natting and just acts as an access point.
All 5 ethernet ports are bridged so for the private side, the ethernet ports can be used as switch ports and also any of them can be connected to existing network.
For guest WiFi, it has a second bridge created which has a private IP 192.168.200.1. A DHCP server is created for that subnet. on the CAP configuration, 'slaves datapath' points to a datapath which has 'guest-wifi bridge' as the bridge.
DHCP client obtains IP and default route from network using any of the bridged ethernet ports.
Remember you have to set 'manager = capsman' for the wifi interfaces. For some reason this setting does not come out in the config export.
/interface bridge
add admin-mac=48:A9:8A:35:65:14 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name=guest_WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=guest_WiFi disabled=no name=guestWiFi
add bridge=bridge disabled=no name=Private_WiFi
/interface wifi configuration
add country="United Kingdom" datapath=guestWiFi disabled=no mode=ap name=\
"Guest WiFi" ssid=GuestWiFi
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Private_WiFi passphrase=\
Private_WiFi_Password
/interface wifi configuration
add channel.width=20mhz country="United Kingdom" datapath=Private_WiFi disabled=no \
mode=ap name=Private_WiFi security=Private_WiFi security.ft=no ssid=Private_WiFi
/interface wifi
set [ find default-name=wifi1 ] configuration=Private_WiFi disabled=no
add configuration="Guest WiFi" disabled=no mac-address=4A:A9:8A:35:65:18 \
master-interface=wifi1 name=wifi2
set [ find default-name=wifi2 ] configuration=Private_WiFi disabled=no
add configuration="Guest WiFi" disabled=no mac-address=4A:A9:8A:35:65:19 \
master-interface=wifi2 name=wifi3
/ip pool
add name=guest-wifi ranges=192.168.200.11-192.168.200.200
/ip dhcp-server
add address-pool=guest-wifi interface=guest_WiFi lease-time=10m name=\
guest-wifi
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=lo enabled=yes \
slaves-datapath=guestWiFi
/interface wifi capsman
set enabled=yes interfaces=lo package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=Private_WiFi \
slave-configurations="Guest WiFi"
/ip address
add address=192.168.200.1/24 interface=guest_WiFi network=192.168.200.0
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server network
add address=192.168.200.0/24 comment="guest wifi" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.200.1
/ip firewall filter
add action=drop chain=forward comment="Drop Guest WiFi to LAN" dst-address=\
192.168.0.0/16 log-prefix="drop gurest wifi to lan" src-address=\
192.168.200.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Guest WiFi masquerade" \
out-interface=bridge src-address=192.168.200.0/24