Got it! Was hoping for some obvious error
Router: RB5009UPr+S+
Switch: CRS328-24P-4S+
Access points: C53UiG+5HPaxD2HPaxD
Access points are wired to the Switch. The switch wired to the router.
So when I activate vlan filtering on the swtich, the wifi stops working.
Config for router, switch and ac.
# ROUTER CONFIG
####################################
# 2024-11-29 11:19:29 by RouterOS 7.14.3
# model = RB5009UPr+S+
/interface bridge
add admin-mac=78:9A:18:D0:8C:88 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=WG
/interface vlan
add interface=bridge name=vlan_bg_30 vlan-id=30
add interface=bridge name=vlan_guest_20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no name=5g
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2,4 width=20mhz
add band=5ghz-ax disabled=no name="5g tech"
/interface wifi datapath
add bridge=bridge disabled=no name=lan
add bridge=bridge disabled=no name=guest_20 vlan-id=20
add bridge=bridge disabled=no name=bg_30 vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=lan
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
guest
/interface wifi configuration
add channel=5g channel.band=5ghz-ax country=[Country] datapath=bg_30 disabled=no \
name=wifi-5g security=lan ssid=companyname
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=bg_30 disabled=\
no mode=ap name=wifi-2,4 security=lan ssid=companyname
add channel=5g channel.band=5ghz-ax country=[Country] datapath=guest_20 \
disabled=no name=wifi-guest-5g security=guest ssid=companyname-guest
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=guest_20 \
disabled=no mode=ap name=wifi-guest-2,4 security=guest ssid=\
companyname-guest
add channel="5g tech" channel.band=5ghz-ax country=[Country] datapath=lan \
disabled=no name=wifi-tech-5g security=lan ssid=companyname-tech
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=lan disabled=no \
mode=ap name=wifi-tech-2.4 security=lan ssid=companyname-tech
/interface wifi
add configuration=wifi-5g disabled=no name=cap7 radio-mac=18:FD:74:FE:97:91
add configuration=wifi-guest-5g disabled=no mac-address=1A:FD:74:FE:97:91 \
master-interface=cap7 name=cap8
add configuration=wifi-tech-5g disabled=no mac-address=1A:FD:74:FE:97:92 \
master-interface=cap7 name=cap9
add configuration=wifi-2,4 configuration.mode=ap disabled=no name=cap10 \
radio-mac=18:FD:74:FE:97:92
add configuration=wifi-guest-2,4 disabled=no mac-address=1A:FD:74:FE:97:93 \
master-interface=cap10 name=cap11
add configuration=wifi-tech-2.4 disabled=no mac-address=1A:FD:74:FE:97:94 \
master-interface=cap10 name=cap12
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.5-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan_guest_20 lease-time=10m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan_bg_30 lease-time=10m name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=wifi-5g \
name-format=cap slave-configurations=wifi-guest-5g,wifi-tech-5g \
supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=wifi-2,4 \
name-format=cap slave-configurations=wifi-guest-2,4,wifi-tech-2.4 \
supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.40.2/32 comment=Tobias interface=WG private-key=\
"wHficbRgpq5OJRPy77HVreaKxd/TAPUFljj3x+EfJVo=" public-key=\
"4U40wNy/Fp4oweGa5WRi8rfNZFcrK3+icWnypWE0zw4="
add allowed-address=192.168.40.3/32 comment="P\C3\A4r" interface=WG \
private-key="aKVd306oaKOCyADjYAGQB9/pbTRWp/naKZ0IEH/PkHs=" public-key=\
"QvxmTLXKu5aiWPxTcaz5aLc4xbz45+kFqawqqx7hTis="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.20.1/24 interface=vlan_guest_20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan_bg_30 network=192.168.30.0
add address=192.168.40.1/24 interface=WG network=192.168.40.0
add address=[IP]/26 interface=ether1 network=213.136.57.0
/ip arp
add address=192.168.88.130 interface=bridge mac-address=00:25:90:5E:B7:D8
add address=192.168.88.102 interface=bridge mac-address=2A:FF:25:5F:17:43
add address=192.168.30.14 interface=vlan_bg_30 mac-address=00:41:0E:4A:F7:02
add address=192.168.88.131 interface=bridge mac-address=D6:07:2E:B1:EE:99
add address=192.168.88.83 interface=bridge mac-address=94:DD:F8:04:F7:A4
add address=192.168.88.139 interface=bridge mac-address=D8:3A:DD:B6:D4:81
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.139 client-id=1:d8:3a:dd:b6:d4:81 mac-address=\
D8:3A:DD:B6:D4:81 server=defconf
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=[IP],[IP]
/ip firewall filter
add action=accept chain=forward comment="Allow companyname to printer" \
dst-address=192.168.88.83 src-address=192.168.30.0/24
add action=accept chain=forward comment="Allow WireGuard to bridge" \
dst-address=192.168.88.0/24 src-address=192.168.40.0/24
add action=accept chain=input comment="Allow Winbox from VPN subnet" \
dst-port=8291 protocol=tcp src-address=192.168.40.0/24
add action=drop chain=forward comment="Block companyname to bridge" dst-address=\
192.168.88.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Block companyname-guest to bridge" \
dst-address=192.168.88.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname-guest to companyname" \
dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname-guest to VPN" \
dst-address=192.168.40.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname to VPN" dst-address=\
192.168.40.0/24 src-address=192.168.30.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment="Access bridge from VPN" dst-address=\
192.168.88.0/24 src-address=192.168.40.0/24
/ip route
add disabled=no dst-address=10.6.12.0/24 gateway=138.199.55.3 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
# SWITCH CONFIG
####################################
# 1970-06-27 15:43:07 by RouterOS 7.14.3
# model = CRS328-24P-4S+
/interface bridge
add admin-mac=D4:01:C3:38:FD:84 auto-mac=no comment=defconf name=bridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment="Open landscape" interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment="Tech Room" interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21 pvid=30
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=ether1,ether12 vlan-ids=20
add bridge=bridge tagged=ether1,ether12 vlan-ids=30
add bridge=bridge untagged=ether1 vlan-ids=1
/ip address
add address=192.168.88.2/24 comment=defconf interface=bridge network=\
192.168.88.0
# ACCESS POINT CONFIG
####################################
# 2024-11-29 11:31:10 by RouterOS 7.14.3
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=18:FD:74:FE:97:8C auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: companyname, channel: 5720/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN
# mode: AP, SSID: companyname, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether4 pvid=30
add bridge=bridgeLocal comment=defconf interface=ether5 pvid=30
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi2,wifi1 \
vlan-ids=30
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=*97,*98 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal