Hello,

I have a RB5009UG as my main Router/Firewall/Nat ect. From this I have a Hap AX2 and a Hap AX3. Both of these are used mainly as APs for 2.4Gz and 5GHz wifi, each having there own SSIDs for the separate bands (i.e 4 SSIDs total between the two boxes). Each are also being used as switches to provide internet access for LAN devices too. Both 2.4GHz wifi networks are used solely to provide access to weather station, Feit security cams, doorbell, and, power switches that rely on manufacturer apps for access/control. I would really like to be able to separate these devices onto their own VLAN that has no access to the rest of my LAN/5Ghz Wifi network just the required internet access path.

Questions:
1) Can this even be done with my equipment?

2) If so, what's the best way to approach it? The RB5009 is obviously the more powerful unit, should it be used to handle the VLAN setup by putting the Haps into capman mode and would this allow the RB5009 to be the only DHCP server. Right now each Hap is operating with it's own DHCP address list.


Thanks
Andrew

Yes, use all vlans
vlan10 home
vlan20 IOT devices 2ghz
vlan25 IOT devices 5ghz
vlan30 guest wifi
let your imagination run wild...

Vlan guide --> viewtopic.php?t=143620

To setup vlan bridge filtering with minimal fuss
take one port off the bridge and give it its own IP address like 192.168.55.1/24
and then plug your laptop/desktop into this port for configuring the router ( simply change your ipv4 settings on the PC so something like 192.168.55.5

I'm really hoping to keep the setup as simple as possible.

1) Can I have just one VLAN only for the wifi 2.4GHz devices?

2) Should I be using CAPsMAN controller on the RB5009? Do I have to put the Hap AX3 and HAP AX2 into CAPMAN mode? If so what happens to the physical connections on these Haps, do they still work but get IP address assignments from the DHCP server on the RB5009?

If just starting out I do personally would stay away from capsman, it adds a layer of additional complexity that should only be tackled when more comfortable with RoS.
Yes you can only use one vlan for 2.4 but then all users on that vlan will have access to each other.
The idea is to create virtual wlans if required and separate them via vlans.

If just starting out I do personally would stay away from capsman, it adds a layer of additional complexity that should only be tackled when more comfortable with RoS.
Yes you can only use one VLAN for 2.4 but then all users on that VLAN will have access to each other.
The idea is to create virtual wlans if required and separate them via vlans.

Interaction between devices on the 2.4GHz WIFI is not an issue as they are pretty much all Feit or similar type devices similar to IOT (but not actually using the IOT protocols), nothing else will be using this WLAN. I just need them isolated from my the rest of my LAN/WLAN networks.

So if I don't use CAPsMAN, I then need to setup separate VLANs one for the Hap AX3 and one for the Hap AX2? These will each need trunk VLANs back to the RB5009 which will also need a VLAN to route these to the internet interface? Each VLAN will need IP arranges assigned separately?

Or is there a way (besides CAPsMAN) for the RB5009 to control all the VLANs and issue IP addresses?

Regards
Andrew

All the control setup is done on the main router,
The second device acting solely as a swittch/AP has a minimal setup.

All the control setup is done on the main router,
The second device acting solely as a swittch/AP has a minimal setup.

Currently both Haps are setup up as default configuration operating as their own router/bridge and AP. So would I have to reset the systems to bring them up as switches/APs?

Just one of them. One would be the main router, the other would solely be an AP switch.

Just one of them. One would be the main router, the other would solely be an AP switch.

The RB5009 is the router with each hap being used as an AP providing coverage in different parts of the property. So in order to get the wifi vlan traffic to travel out ether1 port the hap has to be configured in switch/AP mode? There is no way for this to work if the hap is in router mode?

Why do you need the hap to act as router?? All you need is for it to provide wifi locally and perhaps some of its port as local ethernet connections to another switch in the area or to other devices.
The way to do this is to send to the haps, all the vlans required that it will handle ( vlanX for wlan1, vlanY for wlan2, possibly more wlans, and required vlans for port attached devices ).
One vlan is used as either a trusted vlan or managment vlan to give the hapac its own IP address and for you as admin to reach it for configuration purposes.
I would also take one port on each hapac off the bridge so you can access it locally in case.

I don't need them in router mode they came that way and is how they were originally installed into the network. For simplicity I was wanting to know if it was possible but doesn't matter now as I have reset the HAP AX3 with no default configuration and now have it running as plain switch/AP. The only issue I'm having now is that when trying to check if there is a software update for the HAP AX3 via winbox, I get an error message stating "ERROR: could not resolve dns name". -- Never mind found a video that showed how to fix this issue https://www.youtube.com/watch?v=y2XvhtojInk

To recap you have one main router RB5009 doing the firewall rules DHCP and setting up the required vlans.
vlan for home traffic
vlan for wifi iot traffic
vlan for other
vlan for other etc.....

The two other device both hapac? set up as AP switches.
Post the config of these two if you want them reviewed.

Note: There is no such concept as one hap needs a different vlan from another hap etc.
It depends on what your uSERs need in the location being served. So you send the required vlans including the one the hap gets its IP address from to the hap.
The only VLAN that needs to be identified on the hap is the one it gets its IP address from.

Okay So far I have setup the the RB5009 with three VLANs:

VL10 Management 192.168.90.0/24
VL100 Wifi 2GHz for AX2 10.0.0.0/24 ether8
VL101 Wifi 2GHz for AX3 10.0.10.0/24 ether7

Ether8 has direct connection to Hap AX2. However, Ether7 is connected via two dump switches to ether1 of Hap AX3.

As of right now I have on been working on the Hap AX3, it's been reset to switch/AP and the VLANs for management and 2GHz WiFi created. Devices attached to the 2GHz WiFi are not being giving IP addresses in 10.0.10.0/24 range but there appears to be zero isolation between VL101 and default VL1 items even those connected directly to ether ports on the RG5009.