AP to existing network with segmentation...

RouterOS General
1

AP to existing network with segmentation...

Router_1 existing one (ASUS).
Wan_port: Public static IP/Internet
LAN seg_10 with DHCP hand out.

At the end i want this:
192.168.10.x: Trusted segment (seg_10)
192.168.20.x: Untrusted segment (seg_20)

New add on: Mikrotik mAP Lite

I need 2 wifi network, one at seg_10(Router_1 assign all ip) and one seg_20(mAP assign all ip)

What i have done is, and it work as expected:
Plug eth1(mAP) to the Router_1 LAN seg_10. set static ip.
Config the wifi network, with 2 ssid. Working.
Create a bridge_10 and assign eth1 & wLAN1 (seg_10)
Create a bridge_20 and assign wLAN2 (seg_20)

-Now i have 2 bridge for my segment.

wifi client can now connect to ssid at seg_10 and seg_20.
If connected to seg_10 ip is handed out from Router_1. (add a DHCP relay entry)
If connected to seg_20 MT hand out the ip.

But how about the NAT masquerade?
Both seg_10 and seg_20 must go to the big www.
I have done this: Create a srcnat as Out_IF as bridge_10, and action as masquerade.

Then i made fw rules for input and forward...

Here we are not dealing with real LAN & WAN. The LAN eth1 (bridge_10) is also the way to the big www internet, so in some way the WAN.
It all work as expected, BUT is this the right way to do it?

(As suggested by @mkx: I made a static route in the main router to handle all the masquerade and disabled it in mAP.)
Remember to set a static ip in the mAP, or the "static route" in the main router will stop working when ip at eth1 is changed:-)

2

As main router (ASUS) knows nothing about seg_20, the double NAT is the only way forward. You could slightly change the src-nat rule by adding in-interface=bridge2 making it less greedy.

Since wLAN2 is the only interface member of bridge2 you could skip using bridge2 and directly use wLAN2 interface instead.

If it is possible to configure ASUS with aditional static routes, you could add a static route towards seg_20 with gateway address of mAP lite. This would allow you to avoid double NAT (i.e. remove the src nat rule), only ASUS would perform NAT.

Beware that whatever you do (either keep your current setup or go with single NAT), seg_10 is accessible by seg_20 devices. If you want to block this access, you have to add some firewall filter rules, blocking packets originating from seg_20 and targeting seg_10 devices … but make sure you allow traffic towards essential services if needed (e.g. if ASUS is running DNS server/relay for LAN devices or something like that).

3

Thanks:-)

Static routes add in the main router, and removed the masquerade in the mAP.