I have a MikroTik AP connected to my main internet router. The internet router is a DHCP server for my LAN. I have two VAPs ("public" and "private"). I'd like to be able to get an IP address from the DHCP on my main internet router from both VAPs, but I'd like to make it so my "public" VAP can only access the internet and not my LAN.
If I assign the "public" VAP interface its own IP address on a different subnet, I know how to restrict LAN access through firewall rules on the MikroTik, but then the "public" VAP will no longer find an IP address from my main router's DHCP.
Is there a way I can keep ether1, VAP1 (public), VAP2 (private) all bridged so they can all get DHCP from my main router but then restrict all VAP1 traffic to internet only?