Vlan's on a few AP or everywehre.

I have a silly question or idea,..regarding vlans.

We are a small WISP with approx 400 customers, over a large remote geograpical area, We have a client that just requires 192.168.0.x traffic to go back to a his lan network this is a private network for just water pumps and reading levels of the water, the sites do not require inet traffic or access to the inet.

Most of are customers are NAT at the SM , so we dont have much issues,.. He has six sites 4 are reacable via the same AP, 2 are further down the network 2 backhaul hops and then the last 2 sites are on a AP there. We currently do not have VLan running or on anywhere , i was wondering if i could vlan just that ap and one down road , if they would find each other.. Currently they are setup transporting accross our backbone freely other than that protcol filters in place or would i have to turn Vlan  on for the whole network from end to finish .. my thoughts.. were plan a set them on a vlan so those six sites just appear to themselves..

 or i can route them with mikrotik routers and run EoIP and build six tunnels thus making sure they dont go over are backhaul unencyrpted and dump more traffic than is needed into it. ?? Thats my quick fix for now, in long term i would like to have the network segmented more and easier to manage. 

I inherited this situation from the previous guy who set this all up. but he's gone so i wanted to find a way to do this better Snocrash

We have a similar configuration for our local village. If you have layer-2 connectivity between the sites, i.e. the backhauls don't go into routers, then yes, VLAN would be the way to do this very easily. You can enable VLAN on the required APs only.

So you'd assign that "customer" network a VLAN ID and set all of their SM's default port VIDs that that VLAN ID. This functions like access mode on a managed switch. Meaning the customer's equipment sees untagged ethernet frames. The radios pop on the tag upon ingress and send it tagged over the RF, then the SM strips the tag upon egress (at the SM's ethernet interface).

One thing to watch out for, and I know this from a horrible experience, is the "SM Management VID Pass-through" on this VLAN'd customer's SMs. You're probably doing what I am, VLAN ID 1 is your management and normal data network for your regular customers. We're primarily bridged right now and our traffic was leaking into their network via the management VID. The simple solution was to disable the management VID passthrough on the VLAN'd SMs. Which now means that the SMs aren't manageable locally from the ethernet interface, but it was the only way to not change so many other things on the network.