Point-to-Point link between RB2011 Vlan switch and CCR1009 router .. Nat Issue?!

RouterOS Wireless Networking
1

Hello guys . . I might be missing some basic nating concepts or what i want simply cannot be done So guide me in this scenario
I got two Mikrotiks routers one (RB2011) dedicated for vlan switching and the other mikrotik (CCR1009) is for hotspot service

RB2011 settings:

ether3: 192.168.100.2/30 (port connected to CCR)
/ip route add gateway: 192.168.100.1 (Static route to CCR)

Vlan1: 10.100.1.1/24 - dhcp-pool: 10.100.1.2-10.100.1.254
Vlan2: 10.100.2.1/24 - dhcp-pool: 10.100.2.2-10.100.2.254


CCR Settings:

ether3: 192.168.100.1/30 (port connected to RB2011)
/ip route add dst-address: 10.100.1.0/24 gateway: 192.168.100.2 (Static route to Vlan1 in RB2011)
/ip route add dst-address: 10.100.2.0/24 gateway: 192.168.100.2 (Static route to Vlan2 in RB2011)

create hotspot server for ether3 with address-pool:none
do nat and route to isp and so on..


Now both vlans subnet ranges (RB2011) connectes properly to hotspot server (CCR1009) and login page shows up and do authentication so everything works correctly in both MTs

But if i move from one vlan subnet to the other (Switching between APs) i lose the connection and has to re-login again to hotspot
(enabling mac-login will solve it but it’s not an option for me due to public wifi nature)

To solve this i added nat rule (in RB2011 side) → /ip firewall nat add chain=scr-nat out-interface:ether3 action=masquerade

but this nat rule brought me another issue, All the connected hosts now have their addresses natted to (192.168.100.2) when they login to hotspot server in CCR :confused:

Host A connects to VLAN1 and get address : 10.100.1.50 (RB2011 side)
Host A logins to the hotspot server (CCR1009 side) the address 10.100.1.50 is natted to 192.168.100.2

Host B connects to to VLAN2 and get address : 10.100.2.150 (RB2011 side)
Host B logins to the hotspot server (CCR1009 side) the address 10.100.2.150 is natted to 192.168.100.2

again because of this rule → /ip firewall nat add chain=scr-nat out-interface:ether3 action=masquerade (RB2011 side)
So clearly i can’t do qos or traffic shaping in CCR if all my hosts have the same ip address (192.168.100.2)

How can i solve this problem ?

2

One more thing to clarify .. adding vlan interface to bridge and do hotspot based on that bridge is a solution but as stated in this post
http://forum.mikrotik.com/t/bridged-vlan-on-physical-interfaces-to-the-new-vlan-bridge-filtering/132766/1

bridge with add vlans interfaces as port memebers is not the right way of dealing with vlan bridge filtering / vlan switch concepts
So i considered separating my whole configuration into two devices .. RB2011 for vlan switching and CCR for hotspot service