MikroTik

Hi guys,

I am trying to do a failover but stuck as the lte modem on a different router


Main router 1 wan, 2 dhcp servers vlan 10 and vlan 20

[admin@MikroTik_RB4011] /ip route> pri
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 121.99.228.1 1
1 ADC 10.10.0.0/24 10.10.0.1 bridge_vlan10_main 0
2 ADC 10.20.0.0/24 10.20.0.1 bridge_vlan20_g... 0
3 ADC 121.99.xxx.xxx/19 121.99.xxx.xxx Orcon_ISP 0
[admin@MikroTik_RB4011] /ip route>



the second router has a lte wan connection

[admin@MikroTik_hap_ac2] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.10.0.1 1
1 DS 0.0.0.0/0 10.20.0.1 1
2 DS 0.0.0.0/0 lte1 2
3 ADC 10.10.0.0/24 10.10.0.3 bridge_vlan10_main 0
4 ADC 10.20.0.0/24 10.20.0.3 bridge_vlan20_g... 0
5 ADC 100.80.xxx.xxx/32 100.80.xxx.xxx lte1 0


what would be the right routing at this moment it is all dynamic

thanks a lot

So if the Uplink of MikroTik_RB4011 fails it should use the LTE uplink of MikroTik_hap_ac2 instead?

The easyest way would be the add a static route with 0.0.0.0/0 "local IP of hap_ac2" distance 10 or higher on RB4011.

However your hap_ac is using the uplink of your rb4011 and LTE only as a backup (distance 2):
0 ADS 0.0.0.0/0 10.10.0.1 1
1 DS 0.0.0.0/0 10.20.0.1 1
2 DS 0.0.0.0/0 lte1 2

So my proposed route would result in a loop!
Best would be to use only LTE as an Uplink on the hap_ac.

Hi mooks,

I am trying to set up failover in a way that if the wan dies on the primary, traffic will be failovered to the secondary, however i cannot use ping the gatway as on the second routeк the gateway is the ip of the routeк one. So even if the wan dies the routes won't switch as the router one will remain up as the gateway check is the router 1 lan ip :(

So if the Uplink of MikroTik_RB4011 fails it should use the LTE uplink of MikroTik_hap_ac2 instead?

do you use the hap_ac only for LTE uplink?

If not:
no need to configure the vlans on hap_ac2
just configure the hap as a normal router and configure a differen subnet for e.g. 192.168.42.1/24

then connect the rb4011 to the hap as a client with static ip (for e.g. 192.168.42.2).
sourcenat rule to 192.168.42.2 on rb4011, out interface the one connected to hap.
route on rb4011:
0.0.0.0/0 192.168.42.1 10

if yes:
Otherwise you will have to configure netwatch to check the uplink using a external IP like google DNS.
https://mum.mikrotik.com/presentations/ ... 743837.pdf
In that case, the router will notice a problem, because it is not checking the local gateway.

The case is really unclear in terms whether both routers should be able to use the 4011's WAN while it works, and hAP ac's (LTE) WAN whenever it doesn't, or whether the hAP ac is there only to provide the LTE WAN for the 4011. Can you clarify this basic question?

The case is really unclear in terms whether both routers should be able to use the 4011's WAN while it works, and hAP ac's (LTE) WAN whenever it doesn't, or whether the hAP ac is there only to provide the LTE WAN for the 4011. Can you clarify this basic question?

sorry for being unclear guys, the only reason why the setup is a "complex" is that my main router doesn't have a usb port (4011), but hAP does

what i am trying to achieve is basically if isp 1 /wan 1 on my 4011 stops working (4011 remains up), currently, the default route is the gateway of the isp 1, traffic will be failed over to hAP (router 2) that has a lte usb modem

i just cannot figure out how to set it up ,

for example, i can do a static route to hAP 10.10.0.3 so 0.0.0.0.0 10.10.0.3 set up on 4011, tick the option to check the gateway by pinging ISP gateway so when I simulate an outage on the 4011 (main router) traffic switches from isp 1 gateway to 10.10.0.3 gateway (hAP ) but there is still an outage i cannot ping external ips, naybe there is no return route from hAP back to 4011?

so yes the hAP uses 4011 wan connection (isp 1) but when isp 1 fails, hAP takes over the routing (isp 2 over lte)

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway:
0 ADS 0.0.0.0/0 10.10.0.1 1

so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works.

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway:
0 ADS 0.0.0.0/0 10.10.0.1 1

so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works.

thank you mooks, so basically there is nothing can be done in order to set it up the right way?

thank you

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway:
0 ADS 0.0.0.0/0 10.10.0.1 1

so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works.

thank you mooks, so basically there is nothing can be done in order to set it up the right way?

thank you

no, you just have to configure it the correct way.

hap should not be configured as client, it should only use isp2 as gateway.
rb4011 should be configured as an client of hap.

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway:
0 ADS 0.0.0.0/0 10.10.0.1 1

so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works.

thank you mooks, so basically there is nothing can be done in order to set it up the right way?

thank you

no, you just have to configure it the correct way.

hap should not be configured as client, it should only use isp2 as gateway.
rb4011 should be configured as an client of hap.

thank you for your advice, but i doubt i can configure it the other way, you see my configuration is as follows:

main router _ISP 1 on 4011---> trunk to mikrotik adience---> wireless -----> hap (it used as wireless bridge connecting wireed devices to the network via wifi back to the MikroTik audience)


the hap just has to be a client, i was just hopping that somehow i could set it up the way it can also be the router when needed but i guess it won't, thank you for yor help

regards
alex

Publish the configurations of both machines (see my automatic signature regarding anonymisation), rest assured that there is a way, you can always use VLANs and/or policy routing. Even if the hAP ac is a DNS client, it need not ask for a default route via DHCP.

Publish the configurations of both machines (see my automatic signature regarding anonymisation), rest assured that there is a way, you can always use VLANs and/or policy routing. Even if the hAP ac is a DNS client, it need not ask for a default route via DHCP.

thank you














[admin@MikroTik_RB4011] > /export hide-sensitive
# sep/14/2020 23:10:27 by RouterOS 6.47.3
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge_vlan10_main
add arp=reply-only name=bridge_vlan20_guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=Monitor_VLAN_20
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_10Gb_Fibre
/interface vlan
add comment=WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan10_main vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan20_guest vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_vlan10_main ranges=10.10.0.1-10.10.0.253
add name=pool_vlan20_guest ranges=10.20.0.1-10.20.0.253
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=bridge_vlan10_main lease-time=23h59m59s name=dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=bridge_vlan20_guest lease-time=23h59m59s name=dhcp_vlan20_guest
/queue simple
add max-limit=20M/20M name=vlan20_speed_limit target=10.20.0.0/24
/interface bridge port
add bridge=bridge_vlan10_main interface=ether2
add bridge=bridge_vlan10_main interface=ether3
add bridge=bridge_vlan10_main interface=ether4
add bridge=bridge_vlan10_main interface=ether5
add bridge=bridge_vlan10_main interface=ether6
add bridge=bridge_vlan10_main interface=ether7
add bridge=bridge_vlan10_main interface=ether8
add bridge=bridge_vlan20_guest interface=ether10
add bridge=bridge_vlan10_main interface=vlan10_main
add bridge=bridge_vlan20_guest interface=vlan20_guest
add bridge=bridge_vlan10_main interface=sfp-sfpplus1
/interface list member
add interface=Orcon_ISP list=WAN
add interface=bridge_vlan10_main list=LAN
add disabled=yes interface=bridge_vlan20_guest list=LAN
/ip address
add address=10.10.0.1/24 interface=bridge_vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=bridge_vlan20_guest network=10.20.0.0
/ip dhcp-client
add disabled=no interface=Orcon_ISP
/ip dhcp-server lease
add address=10.10.0.7 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC mac-address=9C:5C:8E:20:B8:C6 server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb mac-address=D0:73:D5:24:52:2F server=dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=50:EC:50:3A:F7:C5 server=dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer mac-address=C0:B5:D7:5B:D7:4E server=dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.5 comment=VoipPhone mac-address=00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV mac-address=AC:D5:64:94:DB:DD server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:cc:f9:e4:9c:0:e0 comment=DellXPS_Laptop mac-address=CC:F9:E4:9C:00:E0 server=dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=MikroTik_Audience_VLAN_20 mac-address=76:4D:28:F4:F7:F3 server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=MikroTik_Audience_VLAN_10 mac-address=74:4D:28:F4:F7:F2 server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir mac-address=38:F9:D3:52:A6:BE server=dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:81 comment=RaspberryPi mac-address=DC:A6:32:0E:48:81 server=dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTVTuner mac-address=00:18:DD:24:1C:FA server=dhcp_vlan10_main
add address=10.10.0.4 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=24:5E:BE:1A:4F:37 server=dhcp_vlan10_main
add address=10.10.0.6 client-id=ff:b5:5e:67:ff:0:2:0:0:ab:11:3:55:b7:2b:3a:d1:99:5 comment=Linux_Server mac-address=52:54:00:13:09:91 server=\
dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader mac-address=00:0A:F5:45:BF:EC server=dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:b1:33:b comment=MikroTik_hap_ac2_VLAN_10 mac-address=C4:AD:34:B1:33:0B server=dhcp_vlan10_main
add address=10.20.0.3 client-id=1:c4:ad:34:b1:33:a comment=MikroTik_hap_ac2_VLAN_20 mac-address=C4:AD:34:B1:33:0A server=dhcp_vlan20_guest
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.0.1 netmask=24
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Orcon_ISP
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.10.0.6
/ip route rule
add action=unreachable dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=unreachable dst-address=10.20.0.0/24 src-address=10.10.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=4w2d name=monthly_reboot on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
aug/27/2020 start-time=03:00:00
[admin@MikroTik_RB4011] >













[admin@MikroTik_hap_ac2] > /export hide-sensitive
# sep/14/2020 23:11:42 by RouterOS 6.47.3
# software id = 4KFR-KG6I
#
# model = RBD52G-5HacD2HnD
# serial number = BEED0BAF2B91
/interface bridge
add name=bridge_vlan10_main
add name=bridge_vlan20_guest
/interface ethernet
set [ find default-name=ether1 ] comment="Raspberry Pi"
set [ find default-name=ether2 ] comment="TV Tuner"
/interface lte
set [ find ] name=lte1
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap management-protection=allowed mode=\
dynamic-keys name=wlan_10_main supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap management-protection=allowed mode=\
dynamic-keys name=wlan_20_guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
comment="Connected to WLAN20" country="new zealand" disabled=no frequency=\
2447 mode=station-bridge security-profile=wlan_20_guest ssid=wifi_guest
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
comment="Connected to WLAN10" country="new zealand" disabled=no frequency=\
5260 mode=station-bridge security-profile=wlan_10_main ssid=wifi
/interface wireless manual-tx-power-table
set wlan1 comment="Connected to WLAN20"
set wlan2 comment="Connected to WLAN10"
/interface wireless nstreme
set wlan1 comment="Connected to WLAN20"
set wlan2 comment="Connected to WLAN10"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge_vlan10_main interface=ether1
add bridge=bridge_vlan10_main interface=ether2
add bridge=bridge_vlan10_main interface=ether3
add bridge=bridge_vlan10_main interface=ether4
add bridge=bridge_vlan10_main interface=wlan2
add bridge=bridge_vlan10_main interface=ether5
add bridge=bridge_vlan20_guest interface=wlan1
/interface list member
add interface=bridge_vlan10_main list=LAN
add interface=lte1 list=WAN
/ip dhcp-client
add disabled=no interface=bridge_vlan10_main
add disabled=no interface=bridge_vlan20_guest
/ip route rule
add action=unreachable dst-address=10.20.0.0/24 src-address=10.10.0.0/24
add action=unreachable dst-address=10.10.0.0/24 src-address=10.20.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_hap_ac2
/system scheduler
add interval=4w2d name=monthly_reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/27/2020 start-time=03:20:00
[admin@MikroTik_hap_ac2] >

Looking into your configurations, the hAP ac² is there only as a port & wireless extender of the 4011, so whatever is connected to it by wire or wirelessly gets the 4011's IP address as the default gateway. I.e. the hAP ac² doesn't route any traffic, so it doesn't need any route at all (unless you'd want to manage it remotely). So you can configure both DHCP clients with add-default-route=no to stop the traffic from looping - whatever the 4011 routes via 10.10.0.3 or via 10.20.0.3 will be forwarded to the gateway provided by the LTE. However, since these addresses are in the same subnet as 10.10.0.1 resp. 10.20.0.1, if the 4011's default route via ether1 is down, the 4011 will not forward packets received from 10.10.0.0/24 to 10.10.0.3 but will send an ICMP redirect to the sender instead, informing it that a better gateway to the destination exists in the same subnet, which means that the firewall of the 4011 will be bypassed. Leaving aside that there is no masquerade rule in the hAP ac², so the responses to these packets won't get back (if they would even get to the destination).

Also, it seems that you use a dedicated Ethernet cable for each subnet ("vlan"); unless you have some bandwidth concern, I can see no reason to do it this way, I would recommend to actually use VLANs instead, on a single interconnect cable.

And here we come to the point - if you add a third VLAN hosting an interconnection subnet, you can use it as the second WAN link of the 4011, with the hAP ac²'s address in that interconnection subnet as a gateway. With this setup, if the primary WAN is down, the 4011 will forward packets to the hAP ac², which will forward them further via LTE. To make the backward direction work correctly, you have to remove the DHCP clients in vlans 10 and 20 at the hAP ac², so it won't have any IP address in these VLANs and will act as mere bridge in both; you'll use its IP address in the new interconnection subnet to manage it, so add that subnet first, then log in to this new address, and remove the then-redundant DHCP clients.

With this setup, the traffic between anything in the internet and anything in vlans/subnets 10 and 20 will pass through the 4011 and its firewall; on the hAP ac², you'll only need an action=masquerade rule in the nat table and a simple setup in the input chain of the filter table (accept restablished & related, drop whatever else comes in via LTE). No need to configure the forward chain of the firewall there, the 4011's one will do the job.

I don't know the LTE data plans at NZ - if you can get more than, say, 400 Mbit/s download, it may make sense to use a dedicated cable for this secondary WAN rather than a third VLAN on the single cable, if most LAN clients are connected to the hAP ac².

Looking into your configurations, the hAP ac² is there only as a port & wireless extender of the 4011, so whatever is connected to it by wire or wirelessly gets the 4011's IP address as the default gateway. I.e. the hAP ac² doesn't route any traffic, so it doesn't need any route at all (unless you'd want to manage it remotely). So you can configure both DHCP clients with add-default-route=no to stop the traffic from looping - whatever the 4011 routes via 10.10.0.3 or via 10.20.0.3 will be forwarded to the gateway provided by the LTE. However, since these addresses are in the same subnet as 10.10.0.1 resp. 10.20.0.1, if the 4011's default route via ether1 is down, the 4011 will not forward packets received from 10.10.0.0/24 to 10.10.0.3 but will send an ICMP redirect to the sender instead, informing it that a better gateway to the destination exists in the same subnet, which means that the firewall of the 4011 will be bypassed. Leaving aside that there is no masquerade rule in the hAP ac², so the responses to these packets won't get back (if they would even get to the destination).

Also, it seems that you use a dedicated Ethernet cable for each subnet ("vlan"); unless you have some bandwidth concern, I can see no reason to do it this way, I would recommend to actually use VLANs instead, on a single interconnect cable.

And here we come to the point - if you add a third VLAN hosting an interconnection subnet, you can use it as the second WAN link of the 4011, with the hAP ac²'s address in that interconnection subnet as a gateway. With this setup, if the primary WAN is down, the 4011 will forward packets to the hAP ac², which will forward them further via LTE. To make the backward direction work correctly, you have to remove the DHCP clients in vlans 10 and 20 at the hAP ac², so it won't have any IP address in these VLANs and will act as mere bridge in both; you'll use its IP address in the new interconnection subnet to manage it, so add that subnet first, then log in to this new address, and remove the then-redundant DHCP clients.

With this setup, the traffic between anything in the internet and anything in vlans/subnets 10 and 20 will pass through the 4011 and its firewall; on the hAP ac², you'll only need an action=masquerade rule in the nat table and a simple setup in the input chain of the filter table (accept restablished & related, drop whatever else comes in via LTE). No need to configure the forward chain of the firewall there, the 4011's one will do the job.

I don't know the LTE data plans at NZ - if you can get more than, say, 400 Mbit/s download, it may make sense to use a dedicated cable for this secondary WAN rather than a third VLAN on the single cable, if most LAN clients are connected to the hAP ac².

thank you so much for your reply, may please advise what do you mean by "interconnection subnet", sorry I ma still learning the newtorking

An "interconnection subnet" is an arbitrary name describing from the purpose - a subnet intended solely for interconnection of two routers, different from those used to connect the other devices.

The whole thing I had in mind can also be described as partitioning the hAP ac² into two logical units:

1. an extender switch & AP
2. a router behaving similarly to a typical ISP-provided home CPE, i.e. with one WAN (the LTE) and one LAN (the interconnection subnet, where the only other device will be the 4011)

It is important that the "extender switch & AP" part could not participate in routing for the reasons explained before. The easiest way to prevent that is not to assign IP addresses to the hAP ac² in the related VLANs.

You may also want to investigate into CAPsMAN - the way to control wireless interfaces on multiple physical units centrally (from the 4011), or take a note of the fact that you can create multiple logical wireless interfaces on a single physical one, each with its own SSID and security settings. Hence you can have both the home and guest SSIDs in both frequency bands on both devices. This can be done with or without CAPsMAN.