Marking packets between two routers

Hi, I’m trying to deal with following setup. I have a RB411AH as wifi AP and RB450G as NAT/router. AP is configured like this: eth0 has two tagged VLAN interfaces vlan5 a vlan17, and wifi ath0 has two VirtualAP interfaces wvlan0 and wvlan1. The wvlan0 uses WPA2-PSK, wvlan1 uses 802.1x and Radius. eth0 interface is connected to switch via trunk. vlan5 has an public IP address, which is used for management, accounting and radius. wvlan0, wvlan1 and vlan17 are bridged together as br0.

RB450G acts as a NAT between vlan5 (public addresses) and vlan17 (private addresses 192.168.136.0/24). Idea is that users logged via wvlan0 using preshared key will be restricted to get outside NATed network. Users logged via wvlan1 and authenticated via radius will be able to go trough NAT.

Is there any way how to mark connections/packets at the AP and later use this marks at the NAT/router to decide who is authorized to go trough NAT?

Thanks for any ideas and recommendations.

Sure. Use DSCP/ToS.

Set the DSCP value of all packets coming into the radio interfaces to different values depending on the incoming interface. Then NAT/police based on DSCP values.

Ideally, though, I would split out the networks and not bridge them. That way you can simply determine by IP address who goes where. Of course, that may not be possible due to other restrictions you haven’t mentioned - but usually layer 3 boundaries are a good idea whenever you’re trying to secure something.

Ok, I will try DSCP. I can’t use different networks, because it is a network in a lab and we need to have all user in one broadcast domain. There is installed lot of embedded boxes an PLCs and so. Some of them are wireless but dummy (don’t understand 802.1x).

Users should log in with credentials against radius (to track down who downloads via torrent . Dummy clients and boxes will log in via PSK.