I using mikrotik for wifi hotspot and it work well by open dhcp server on routerboard and configure hotspot on interface.
Now, I try to use it for wifi hotspot in my office that already have dhcp server with local subnet (for company local pc and server) and mikrotik for wifi hotspot for outside guest to access to my company internet without access to local subnet.
How can I do that? May I have to open dhcp server on mikrotik ? How do the mobile device access to wireless access point know which dhcp they will get the ip and gateway to internet?
I try to use same wireless access point for both company machine and outside guest machine.
There are a few ways to do it with trade-offs for either security or configuration.
One way I can see it is to move your existing hotspot configuration from the physical wireless interface to a virtual wireless interface then remove the SSID/broadcast/default authentication on the physical one, and move the hotspot to a bridge. On the bridge, bridge the VirtualAP and a new VLAN (say 88 for example) for the hotspot. If you want any other interfaces on your device to connect to the hotspot, add them to the bridge too. Change the dhcp-server to the bridge as well.
Afterwards, create a new virtual AP, bridge, and vlan for your internal office with then interconnected (perhaps a vlan matching the last octet in the network address) and then setup an ip address or a dhcp-client if you want it to lease from your existing dhcp-server on that bridge. I would suggest for this virtual AP, as would connect to your office, to setup a separate security profile (WPA2-AES or better if you can) and if you can, disable default-authentication and broadcast, and either add the macs or use a radius server (usermanager could work if you dont have another).
If you have any existing ethernet ports switched(master port) or bridged you may need to update them to match as you wouldn’t want your hotspot and office networks connected at that level.
I usually setup separate vlans just for management and disable ip neighbour discovery, mac server, and winbox (firewall) access on all the other interfaces except for one physical one (last ethernet typically if it is a secured location, or none otherwise).
What I put above is based on a lot of assumptions, posting your config would help and maybe filling in some blanks such as whether you have any existing access points on your work side, or a radius server, or anything else for authentication or encryption.
