Hi.

I have am a newbie to capsman so just wanted to check what I want to do is possible before I purchase another routerboard to use as an AP.

My network consists of 3 SSID and each one is on it's own subnet. The two extra are for guest and IOT which do not have access to other subnets apart from IOT controller on main subnet.
Ethernet is all bridged to main subnet. I have no managed switches or VLAN .
Wireless signal is poor in the the remotest part of my house and at the moment I have an old consumer router acting as an AP for main LAN, but I want some devices to connect to the other subnets.

So, If I say buy a HAP AC lite, can I use capsman to replicate all three SSIDs / subnets over one ethernet cable back to the main router.

You can, if you use VLAN.

Why are you referring to CAPsMAN?
Replicating is no problem, subnetting is.

You can do it even without using VLANs. When using CAPsMAN to provision APs it is possible to configure it in the way all traffic is tunneled to CAPsMAN device which then splits traffic into different IP subnets. What you do with individual subnets there is up to confing, you can bridge one with the rest of LAN while consider others as firewalled subnets. If CAPsMAN is at the same time main router, then it can restrict firewalled subnets to only internet access (or whatever else you manage to configure).
This ability (tunneling all traffic from AP to CAPsMAN) does come with a price: performance drop is considerable in most of cases and if achieved performance is not at desired level, then one has to revert to using VLANs (as @erlinden already mentioned) to ensure isolation of traffic from different SSIDs on the path between AP and main router. Which may or may not be achieved when using "dumb" ethernet switches on the path. But when using VLANs use of CAPsMAN functionality becomes questionable (it's a burden not worth taking with small number of APs in same network).

Thank you for the replies.

I referred to CAPsMAN because, when searching this and other forums before posting, it seemed to come up as the recommended solution.

So from what I understand, with a small network consisting of 2x routerboards I would be better off configuring manually and using VLAN?
I had previously considered VLAN but it did not seem viable at the time with only 1 router and a dumb switch.

Please could you elaborate on "Replicating is no problem, subnetting is." Are you saying I should have 3 wireless SSID's on the same subnet but separate using VLAN?

I don't recommend capsman.
Its like adding another OS to routerOS, with some overhead and worse complication.
Its not just another layer on the onion its more like another layer with hooks everywhere. :-)

IF you have one or two MT access points dont bother, 3 or more the benefits start to outweigh the crap.

My recommendation is to set up the wireless straight up and when you are comfortable enough in RoS then venture into capsman land.

I don't recommend capsman.
Its like adding another OS to routerOS, with some overhead and worse complication.

Thanks. Ok clearly my original idea is not the way forward. I am glad I posted on here first.
Hopefully I can do something like show in the docs with my existing setup of 3 subnets, giving each SSID and associated subnet it's own VLAN ID, and then setting up a trunk to the second router acting as AP. https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless . In my case I won't have R3 or R4 but wireless clients.

Similar to my setup.
I have one router which is attached directly to 3 managed switches and from there multiple Access Points with wifi for basement, for basement guets for basement IOT, and upstairs for house wifi, for guest wifi and more IOT, all on separate Vlans with different SSIDs, etc.

Your setup sounds good. Hopefully this can be done without any managed switches as I don't really have many devices that need to be on another vlan.
Unfortunately VLAN was not part of the MTCNA so time for some self study !!

VLAN is base of MTUNA :-)

VLAN is base of MTUNA :-)

Ha, if that's what I think it is, I have embarked upon my journey towards certification, having now spent most of today getting confused over the various ways to implement VLAN.

So far I think I need to bin off my existing bridges, combine everything apart from WAN into one bridge, and then VLAN?

So far I think I need to bin off my existing bridges, combine everything apart from WAN into one bridge, and then VLAN?

Indeed. I like to think of VLAN as layer 2.5 ... so physical connections (ethernet, layer 2) get overlaid with L2.5 network which logically speaking has different layout than L2 network. VLANs, being virtual, are harder to visualize (that's easy with L2 being physical), so perhaps some drawings on flip chart or some such may help.
Could be the best approach is top-down: make list of your devices, divide them to different IP subnets (that's L3). Then you make out connections needed and that will be your L2.5 network. When L2.5 network is known, design physical connections (L2). If it turns out L2.5 and L2 networks are 1:1, then there's no need to add VLANs into mix, perhaps split horizon is all you need (to segment a switch). Or another (thought) approach: after L3 design is done, only consider L2 (physical connections). If there are many physical connections (used by different L3 networks) going from geographical point A to geographical point B (both points can be either end-device such as multi-homed server or a network appliance such as switch or WiFI AP or simply cable aggregation point) but you can't really implement them in physical world (read: no more space in that duct pipe), then you add the L2.5 on that stretch.
And if you find out that there is need for VLANs anywhere in your physical (l2) network, then implement VLANs on all LAN devices end-to-end.

Then it comes to configuration of MT bridges. Yes, if they are supposed to participate in VLANed network, then the proper way is to configure them as VLAN-aware switches which means single bridge with vlan-filtering=yes. Remember: nowdays basic functionality of bridge is spanning physical interfaces, VLAN is a function of bridge (not the other way around).
And, to make your head spin even more but perhaps you'll find it useful: it is possible to use VLANs internally to single switch/bridge. This way it's quite simple to segment a switch and keep HW offload on all ports at the same time (by configuring two bridges one looses HW offload on one of bridges).

BTW, sometimes it's useful to treat WAN as one of VLANs as well. E.g. if you want to create router-on-a-stick where WAN is connected to one of switch ports, another switch port is used to connect router (and router only uses single physical connection for all involved networks, WAN being merely one of those networks). Philosophically: what's the difference between WAN and any of multiple LANs? Apart from more strict blocking of ingress connections in firewall and default route pointing at some WAN-connected router not much. Doesn't really differ in terms of L2 or L2.5. And yes, it is completely fine to run tunneling protocols over VLAN (e.g. PPPoE).

@mkx thanks for the detailed advice. Lots to think about there. A simple diagram has already been scrawled!

At the moment my RB is working quite happily with no VLAN and three wifi subnets. However as I want to extend this setup using another RB acting as an access point, separation via VLAN seems to be the way forward. It would also let me use some of the ethernet ports for IOT purposes. Also it is a good excuse to learn a bit more.

I have today installed EVE-NG and got the Mikrotik cloud router on it. I'm not quite ready to start factory resetting my production router quite yet. I hope to work through some of the nice VLAN examples given on here to get some practice.

"if caps-man could only control a good radio..."

I type it here all the time. When it comes to wireless... I am going to go with another vendor.

"if caps-man could only control a good radio..."

I type it here all the time. When it comes to wireless... I am going to go with another vendor.

After reading the docs, I seem to be going round in circles. For my HAP AC, it has a switch chip, so the suggestion from the wiki is to use it as detailed here https://wiki.mikrotik.com/wiki/Manual:B ... _switching

However that does not cover wifi which does not work with a switch chip for HW offload. So that takes my back to applying VLAN on the bridge as shown at https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

The cloud router that is available to use with EVE-NG does not take switch commands such as "add ports=ether1,ether2 switch=switch1 vlan-id=20" so getting to grips with this is difficult.
I think I am going to draw up my network diagram and post it on a new topic for advice.

Commands which work directly with hardware (e.g. switch chip) vary between devices according to switch chip class. And I don't see you mentioning type of main router.

When it comes to HW offload: only wire2wire traffic can be offloaded to switch chip. If primary use of hAP ac devices will be wireless AP with single wired connection towards main router, then there won't be anything to offload and you can rest your mind while configuring everything around (SW) bridge.

My suggestion: configure everything around bridge. After everything works according to expectations, you can move focus to performance, optionally reconfigure things to use HW offload where possible.

@mkx Ok thanks for that. The HAP AC is my main router
I think I will just have to get the HAP AC lite and use that to experiment with. What I want to do is something like this:
Current setup is just separate bridges each on it's own subnet. No VLAN.

For starters go through this this tutorial, it should explain the way VLANs should be done.

When it comes to (virtual) wlan interfaces - you'll have one per SSID: add them as access ports to unified bridge (set appropriate PVID). Don't bother with vlan settings on wlan interfaces.

As mentioned before: configuration done according to linked document is SW based and hAP ac Lite will struggle bridging traffic between wired ports belonging to same VLAN (e.g. eth2, eth3 and eth5). But since ethernet ports are only 100Mbps, device should still be able to bridge everything wire-speed.

Thank you for this mkx. I now know - 1) what I want to do is possible and 2) know which method to use in order to get there.

I didn't realise HAP AC Lite was only 100Mbps. Looks like I may be getting another HAP AC then unless there are any other cheaper alternatives.

cAP AC has the same MSRP... But I often find them for less than the hAP AC2. Something about sellers thinking of it as a WAP rather than the same unit with less switching ports.

cAP AC has the same MSRP... But I often find them for less than the hAP AC2. Something about sellers thinking of it as a WAP rather than the same unit with less switching ports.

Good tip thanks. AC2 currently £68 on amazon which seems to be way better value then the £110 for hAP AC unless I am missing something.

cAP AC has the same MSRP... But I often find them for less than the hAP AC2. Something about sellers thinking of it as a WAP rather than the same unit with less switching ports.

Good tip thanks. AC2 currently £68 on amazon which seems to be way better value then the £110 for hAP AC unless I am missing something.

hAP AC is not the same as hAP AC2

2 different devices.

Just an update.
Found some time today and after some successful testing on a hex RB I took the plunge and changed my config on the hAP AC as per the guide at viewtopic.php?f=13&t=143620.

So I now have VLAN set ready for the next step to create a trunk port to an AP.

As expected CPU utilization is now much higher. 1 client at 90Mbps download causes around 80% CPU. Add in another downloading client and it is up to 100%.

Thanks for all the help.