Hello,

I recently purchased a HAP AX3 for home use to explore and expand my knowledge of ROS. I'm interested in setting up a guest WiFi network with specific requirements:

Different SSID and password.
Guests should have internet access.
Isolate guest clients from accessing other parts of my network.
Ideally, block them from seeing other clients within the guest network.

While the first two requirements seem straightforward, I'm encountering difficulties in understanding and configuring VLANs for WiFi.

I've come across tutorials on achieving this, but they seem to focus on the older "wireless" package. Unfortunately, the newer "WiFi" package doesn't seem to have a VLAN section in the WiFi interface settings.

Additionally, I've noticed in some tutorials that firewalls are used to block access between VLANs. If I'm required to use a firewall, what's the purpose of using VLANs?

Any guidance or clarification on these matters and suggesting best practices would be greatly appreciated.

Thank you.

Additionally, I've noticed in some tutorials that firewalls are used to block access between VLANs. If I'm required to use a firewall, what's the purpose of using VLANs?

This is a common knowledge, the same for all network vendors (in no way specific to Mikrotik): OSI layers can explain some of your dilemma. VLANs are layer 2 and separate networking devices from each other if those are members of different VLANs (as if these devices were connected to separate ethernet infrastructure).
IP (or IPv6) is layer3. Most often an IP subnet maps to single ethernet broadcast domain (or single VLAN if you wish).

Now: your wireless AP in principle works on layer2 ... SSID represents L2, VLAN represents L2, you can connect tow together.
Alas: router works on layer3, it connects different IP subnets. Simpler routers will have one IP subnet connected to each ethernet port. If VLANs are used, then VLANs are considered as sort of "virtual ports" and then there is one IP subnet per "virtual port".
When router has IP addresses in different IP subnets, it'll happily pass packets between those IP subnets. If you want to block such communication, you need some mechanism that blocks it. Simplest way of doing it are routing rules, but those are pretty rigid. Using firewall (with its statefullness) is much more flexible.

BTW, for a router, all connected directions are the same, so for router WAN and LAN are not any different (the only difference is default route which usually points to WAN side). So without a firewall, the whole internet could access your LAN. With strategically constructed firewall rules it can not, but LAN can access the whole internet.


Back to VLANs and ROS specifics: read these two tutorials: viewtopic.php?t=143620 and viewtopic.php?t=173692
With new wifi driver, you create (real and virtual) SSIDs. Each will give you a separate wireless interface. You then make those interfaces access ports, members of appropriate VLANs ... you do that by setting appropriate pvid value to these bridge ports.

As noted vlans block at layer2, firewall rules block at layer3.
To block WiTHIN layer2, the same guestnetwork, has been accomplished by access list (mac) address within the wifi settings.

https://help.mikrotik.com/docs/display/ ... AccessList