Okay I will be honest with you, I am not a master networker but I have worked with RB's in a professional element in the past.
I need to create a mobile sat link kit for my employer, something which they can go deploy themselves and I can maintain remotely this is what I am thinking but I would be happy to hear your input.
So the satellite I plan to use is a Tooway KA Band satellite with a RB951Ui-2HnD
Now here are some challenges, the sat modem has a single RJ45 presentation. When you are configuring the satellite you need to login to the sat modem interface on 192.168.100.1. The IP is issued out by the sat modem on DHCP. You go do your alignment and when it is all done you are given a public IP address instead of a DHCP pool address from the sat modem.
Problem 1#: The public IP is issued out on DHCP by the satellite in the sky. If you do not disconnect your laptop at the right time then the public IP is locked to the MAC address of your laptop and as there are only a limited number of public ip's (less than <5) this can prove a bit of a problem as when you add your router in it won't be issued an IP on the WAN side.
Possible Solution: If I configure port 1 as WAN, Port 2-4 as DHCP NAT (192.168.1.1-255) and Port 5 as DHCP 192.168.100.2-255 then I could use Port 5 as my satellite configuration port, the matching IP scheme should allow the laptop user to connect to the Sat Modem via the Mikrotik on Port 5 and even if they do not disconnect at the right time the public IP would tie itself to the MAC of the RB wan interface
Problem 2#: I won't necessarily be there to debug the equipment should something not work correctly.
Possible Solution: Enable remote access to the RB, for added security add rules that filter traffic based upon a static IP (I could use my VPN to ensure only I can remotely login). As the WAN IP can change create an email script to email me the WAN IP address. But, I would imagine I wouldn't be able to login to the satellite modem is there anyway I could remotely access that sat modem sat on 192.168.100.1?
Problem 3#: Satellite bandwidth is expensive so I want to be able to limit what the users can do.
I have no idea what would be the best way, I am reluctant to firewall filter by content because if a website had "visit us on facebook" on it by my understanding the page would be filtered. The idea of blocking specific ip's seems a bit better but that does mean I need to sit there and resolve the ip addresses also with todays CDNs in place and a moving satellite deployment I imagine the IP's would change on a location by location basis.