Based on the attached Diagram.
If I want to add 2-3 vlan's to the hotspot on Network B so that Wireless customers (laptops) see 3 -4 SSID's with different subnets behind either one of the Wireless AP's?
1, Do I need to add a vlan capable switch behind the RB750G? ? Or is the hardware shown in diagram sufficient?

2.What is basic configuration, i.e., where to add bridge? which interface to use? how to add new subnet to vlan?
I've got the standard out of the box Hotspot installed.

3. Does anyone have any examples with similar configuration, that would show me how to create vlan's.


Thanks in advance! ----------------------------------------------------------------------------------------
Address:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
interface=ether2-local-master actual-interface=ether2-local-master

1 address=98.173.*.*/24 network=98.173*.* broadcast=98.173.*.*
interface=ether1-gateway actual-interface=ether1-gateway
----------------------------------------------------------------------------------------------
Route:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=98.173.*.*
gateway-status=98.173.*.* reachable ether1-gateway distance=1
scope=30 target-scope=10

1 ADC dst-address=98.173.*.*/24 pref-src=98.173.*.* gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10

----------------------------------------------------------------------------------------------
Interface:
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1-gateway ether 1500 1524
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524
----------------------------------------------------------------------------------------------------
Firewall:

# jan/17/2011 14:14:27 by RouterOS 5.0rc4
# software id = GVT4-JHYE
#
/ip firewall layer7-protocol
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohun t|ent\
ertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bits\
oup|meganova|full dls|btbot|fenopy|gpirate|sumotorrent|bitmonster|az ureus\
|utorrent|vuze|torrentreactor|commonbits|torrentz|bitlord|warez|bit-torren\
t).*\$"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane |demon\
oid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova\
|fulldls|btbot|fe nopy|gpirate|azureus|sumotorrent|bitmonster|utorre nt|vu\
ze|commonbits|torrentreactor|torrentz|bitlord|warez|bit-torrent).*\$"
add name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=telnet regexp=\
"^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"
/ip firewall address-list
add address=192.168.88.200-0.0.0.210 disabled=no list=limited
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward connection-mark=mark connection-state=new \
disabled=no p2p=all-p2p
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=no protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
"Drop traffic from those on the suspect list" disabled=no dst-port=25 \
protocol=tcp src-address-list=suspectedspambot
add action=add-src-to-address-list address-list=suspectedspambot \
address-list-timeout=2d chain=forward comment=\
"More than 10 simultaneous connections looks spammy" connection-limit=\
10,32 disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward disabled=no port=80 protocol=tcp
add action=accept chain=forward disabled=no port=443 protocol=tcp
add action=accept chain=forward disabled=no layer7-protocol=bittorrent \
protocol=tcp
add action=accept chain=input disabled=no layer7-protocol=telnet protocol=tcp
add action=passthrough chain=output disabled=no layer7-protocol=telnet \
protocol=tcp
add action=accept chain=forward disabled=no src-address=192.168.88.58
add action=accept chain=forward comment="Attempt block P2P" disabled=no \
dst-address=192.168.88.58
add action=drop chain=forward disabled=no p2p=all-p2p
add action=accept chain=forward comment="1st p2p rule" connection-mark=\
p2p-traffic connection-state=new disabled=no p2p=all-p2p
add action=add-src-to-address-list address-list=p2p-users \
address-list-timeout=1w chain=forward comment="2nd p2p rule" \
connection-mark=p2p-traffic disabled=no src-address=192.168.88.0/24
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment="block torrent wwws" disabled=no \
layer7-protocol=torrent-wwws
add action=accept chain=forward disabled=no layer7-protocol=torrent-wwws
add action=accept chain=forward disabled=no dst-port=25 protocol=tcp \
src-address-list=spammer
add action=add-src-to-address-list address-list="" address-list-timeout=0s \
chain=forward connection-limit=30,32 disabled=no dst-port=25 limit=50,5 \
protocol=tcp
/ip firewall mangle
add action=mark-packet chain=postrouting disabled=no new-packet-mark=Voip \
passthrough=no protocol=udp src-port=5060-5080
add action=mark-packet chain=postrouting disabled=no new-packet-mark=Voip \
passthrough=no protocol=udp src-port=16384-18000
add action=mark-packet chain=forward comment="Voip TOS 184" disabled=no dscp=\
46 new-packet-mark=Voip passthrough=no
add action=mark-packet chain=postrouting disabled=no new-packet-mark=Voip \
passthrough=no protocol=udp src-port=5000-6000
add action=mark-connection chain=forward connection-mark=!heavy_traffic_conn \
disabled=no new-connection-mark=all_conn passthrough=yes
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=heavy_traffic_conn \
disabled=no new-packet-mark=heavy_traffic passthrough=no
add action=mark-packet chain=forward connection-mark=all_conn disabled=no \
new-packet-mark=other_traffic passthrough=no
add action=mark-connection chain=forward connection-mark=!heavy_traffic_conn \
disabled=no new-connection-mark=all_conn passthrough=yes
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=heavy_traffic_conn \
disabled=no new-packet-mark=heavy_traffic passthrough=no
add action=mark-packet chain=forward connection-mark=all_conn disabled=no \
new-packet-mark=other_traffic passthrough=no
add action=mark-connection chain=forward connection-mark=!heavy_traffic_conn \
disabled=no new-connection-mark=all_conn passthrough=yes
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=heavy_traffic_conn \
disabled=no new-packet-mark=heavy_traffic passthrough=no
add action=mark-packet chain=forward connection-mark=all_conn disabled=no \
new-packet-mark=other_traffic passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment="**** AP" disabled=no dst-address=\
98.173.*.* dst-port=8098 protocol=tcp to-addresses=192.168.88.98 \
to-ports=80
add action=dst-nat chain=dstnat comment="**** (***t)" disabled=no \
dst-address=98.173.*.* dst-port=8003 protocol=tcp to-addresses=\
192.168.88.3 to-ports=80
add action=dst-nat chain=dstnat comment="***on ***t" disabled=no \
dst-address=98.173.*.* dst-port=8004 protocol=tcp to-addresses=\
192.168.88.4 to-ports=80
add action=dst-nat chain=dstnat comment="NS2 on mast" disabled=no \
dst-address=98.173.*.* dst-port=8005 protocol=tcp to-addresses=\
192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat comment="Bullet SSH" disabled=no dst-address=\
98.173.*.* dst-port=9004 protocol=tcp to-addresses=192.168.88.4 \
to-ports=22
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no \
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="DSS admin port" disabled=yes \
dst-address=98.173.*.* dst-port=1220 protocol=tcp to-addresses=\
192.168.88.107 to-ports=1220
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
192.168.88.107 src-port=1220 to-addresses=98.173.*.* to-ports=1220
add action=dst-nat chain=dstnat comment="DSS udp554" disabled=yes \
dst-address=98.173.*.* dst-port=554 protocol=udp to-addresses=\
192.168.88.107 to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-address=98.173.*.* \
dst-port=554 protocol=tcp to-addresses=192.168.88.107 to-ports=554
add action=src-nat chain=srcnat comment=Seaforth disabled=no protocol=tcp \
src-address=192.168.88.6 src-port=80 to-addresses=98.173.*.* to-ports=\
8006
add action=dst-nat chain=dstnat comment="***** NSM5" disabled=no \
dst-address=98.173.*.* dst-port=8006 protocol=tcp to-addresses=\
192.168.88.6 to-ports=80
add action=src-nat chain=srcnat comment="***" disabled=no protocol=tcp \
src-address=192.168.88.7 src-port=80 to-addresses=98.173.*.* to-ports=\
8007
add action=dst-nat chain=dstnat comment="***** AirgridM5" disabled=no \
dst-address=98.173.*.* dst-port=8007 protocol=tcp to-addresses=\
192.168.88.7 to-ports=80
add action=src-nat chain=srcnat comment="****NSM5" disabled=no \
protocol=tcp src-address=192.168.88.8 src-port=80 to-addresses=\
98.173.*.* to-ports=8008
add action=dst-nat chain=dstnat comment=*******NSM5 disabled=no \
dst-address=98.173.*.* dst-port=8008 protocol=tcp to-addresses=\
192.168.88.8 to-ports=80
add action=src-nat chain=srcnat comment="****" disabled=no \
protocol=tcp src-address=192.168.88.9 src-port=80 to-addresses=\
98.173.*.* to-ports=8009
add action=dst-nat chain=dstnat comment=**** disabled=\
no dst-address=98.173.*.* dst-port=8009 protocol=tcp to-addresses=\
192.168.88.9 to-ports=80
add action=src-nat chain=srcnat comment=SonyCam disabled=no protocol=tcp \
src-address=192.168.88.2 src-port=1030 to-addresses=98.173.*.* \
to-ports=1030
add action=dst-nat chain=dstnat disabled=no dst-address=98.173.*.* \
dst-port=1030 protocol=tcp to-addresses=192.168.88.2 to-ports=1030
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061
set pptp disabled=no

Without knowing more about your hardware it's hard to say what you will or won't need, though I can tell you in general a good managed switch is not a bad idea to get. They can make your life much easier and give you several options that you wouldn't otherwise have. At some point however you will need VLAN aware devices so the traffic can get where you want it to go.

The first thing you need to understand about VLANs in MikroTik is that they are handled in the same way that Linux handles VLANs, each VLAN is an interface unto itself. It is not like a switch where you can assign VLANs to an interface to have the port listen to it. This means each VLAN is independent of each other like each Ethernet interface is independent of each other. You can either run a separate Hotspot and subnet on each VLAN, or you can tie them all together with a bridge and run a single hotspot and subnet on the bridge interface itself.

If you want all of your VLANs to share the same hotspot, here are the steps that you follow:
1.) Create all of your VLANs.
2.) Make a Bridge for all of your VLANs to be a part of.
3.) Assign all of your VLANs to that bridge, and VERY important, assign them a horizon number. This number should be the same for all interfaces.
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging
Without this settings, the setup can break down very very quickly.

Also as a note, you cannot have the physical interface that holds the VLANs as part of the same bridge. This will break the setup. What this means to you is that if you want to use this setup everything leaving the MikroTik needs to be tagged and everything coming into the MikroTik needs to be tagged.

If you want to run separate hotspots and subnets for each VLAN, then make the VLANs and assign different subnets and make a different hotspot instance for each.

Thanks,
Yeah, I want to run separate hotspots.
To start, So, I do not need a VLAN switch down stream?
The Radio hardware is all VLAN capable.
I'll give it a go tonight, with what you suggested.

If your current hardware is VLAN aware, then you should be fine. As a general rule an un-managed switch or bridge should just pass on the VLANs without modifying them.

The important thing is not to pass VLANs to the clients provided it's not a CPE that is VLAN aware. Most operating systems do not recognize VLANs by default and passing them VLAN traffic will cause it to just drop the packets as it doesn't know how to read them. This means you need to strip off the VLAN tag in the hardware right before it reaches the client. This is done with a MikroTik by making a bridge and assigning it one physical interface that the client connects to and a VLAN that is not assigned to the physical interface on the bridge. This way any traffic coming in on that VLAN interface will have it's tagged striped when it leaves the physical interface, and any traffic coming in on the physical interface will have a tag added when it leaves the VLAN interface.

VLANs are great for creating different logical networks using the same hardware, but if this is your first time using them I would recommend setting this up in a lab environment, or at lease somewhere where you have quick access to all hardware. If you do it wrong it can be very easy to lock yourself out of stuff. Just remember to think of each VLAN in MikroTik as it's own physical interface and it should get you going down the right path.

Thanks,
So the wireless AP serving clients is the Unifi device by UBNT, I still haven't quite fiigured out whether or not they're actually VLAN functional. They do have the option in the software config, but whether or not they actually work, I'm not sure. Haven't read anybody actually making them work yet.
Regardless. The new firmware on the UBNT radios are able to pass vlan traffic, from what I understand.
But back to the MT router where everything starts.
I'm going to follow your suggestions with configs on the MT device and set the network up as though the WAP will work.
It's definitely not a production environ, yet... So, back to the drawing boards.