Need some assistance here for proper setup

RouterOS General
1

Consider the following setup.
Setup question.jpg
Router RBA and RBB are both MikroTik routers.
RBA has all interfaces bridged and two vlan interfaces tied to the bridge (id 18 en 20)
3 dedicated networks are available for the three interfaces
192.168.109.0/24 for the bridge
172.18.16.0/23 for vlan18
172.20.16.0/23 for vlan20
For each network / interface a DHCP server is configured.
This is all functioning very well. Connected multiple Unifi AP devices and they all get a untagged IP 192.168.109.x for management and 172.20.16.x for user traffic.
Also connected various Ubiquiti Nanostations. For management on untagged interface, configured with vlan18 interface for user communication. Device acting as router including NAT, local 192.168.1.0/24 on LAN.

Now comes the challenge.
I need to configure RBB with the following requirements

  • I want to be able to connect a Unifi AP, which needs untagged and vlan20 tagged communication towards RBA.
  • TPlink router’s WAN interface should get an IP address in 192.168.1.0/24 range from RBB
  • RBB should have an IP address in vlan20 range 172.20.16.0 which should be used as masquerading address for traffic coming from the TPlink router
  • I want RBB to have an management address in the untagged segment 192.168.109.0/24

How am I going to make sure that the traffic that comes from the TPlink router is src-nat’ted with the correct 172.20.16.0 address and the traffic is tagged with vlan20. I can think of a situation that when the RBB is having 2 IP’s to communicate towards RBA (192.168.109.x and 172.20.16.x) it is difficult to achieve.

What I was thinking

  • Create a bridge between port 4 and 5 and put the 192.168.109.0 address
  • Create a vlan20 interface on the bridge and obtain an IP address via DHCP (coming from RBA)
  • Assign IP 192.168.1.1 to ether1 and configure DHCP for it.
  • Create NAT masquerading rule with src-address=192.168.1.0/24
    and then I am lost. Probably need some mangle rules but I think I need some assistance here
2

This seems like a lot of trouble to go through for one TPlink router! :open_mouth:

The ether4/ether5 bridge should work just exactly like the setup on RBA.

Create the vlan20 interface on the bridge just like on RBA.

But don’t put an IP address on the interface. In stead, set the ARP type to proxy-arp on the vlan20 interface.
Then choose a static IP from 172.20.16.0 for the “TPLink” virtual IP in your customer VLAN, e.g. 172.20.16.2 (make an exception in the DHCP scope - you should always skip a few addresses in your pool to leave room for static hosts)
Then in RBB, create a /32 static route: 172.20.16.2/32 → 192.168.1.X (where X is the TPlink.) If the TPLink is a DHCP client, you can even make the gateway=Ether1 for this static route - it’s only there to cause RBB to know that it should answer proxy-arp requests for 172.20.16.2

Configure srcnat chain rule: out-interface=vlan20, but use src-nat as the action, not masquerade.
Configure dstnat chain rule: dst-address=172.20.16.2 action=dst-nat to-addresses=192.168.1.2
(2nd rule only if the TPlink is static)

Then create static routes:
0.0.0.0/0 gateway=172.20.16.1 route-mark=tplink
172.20.16.0/24 gateway=vlan20 route-mark=tplink
192.168.1.0/24 gateway=ether1 route-mark=tplink

mangle table rule:
/ip firewall mangle add chain=prerouting in-interface=ether1 action=mark-routing new-routing-mark=tplink

This will force the TPlink onto vlan20 with proper NAT, while leaving the main routing table alone.
You can then put RBB’s management IP onto the bridge, etc.