Hi there,
Can someone help me on how to prevent wifi clients connected to the Mikrotik AP to see the entire network? I just want them to surf the web and not to see the 192.168.1.0/24 network.
Please see the drawing attached.
Regards 
Cofran
If the connection (ethernet?) Between main router and RB941 is dedicated to that connection, then the best way would be to “overload” main router with subnet 192.168.88.x/24 … set an IP address from this subnet to the dedicated interface and configure firewall rules to prevent connectivity between 192.168.1.0/24 and 192.168.88.0/24. At the same time the RB941 should be reconfigured to bridge mode (bridge between ethernet and wireless), dissbling the routing and firewalling. You can keep DHCP server for that subnet running on RB941, but set default gateway to the IP address of the main router.
All of the above is possible to configure on (almost) any Mikrotik, but close to impossible on other consumer-grade routers.
Thanks for the quick reply MKX.
Yes, the connection between the main and the RB941 is a dedicated cable.
One small spec is that I don’t have access to the main router so I can’t change anything in there.
How can I configure firewall rules to prevent connectivity from 192.168.88.0/24 to 192.168.1.0/24? I don’t need the other way round.
Regards,
Cofran
Something like the following might help:
/ip firewall filter
# add the commented rule if you want to allow connections from 192.168.88.0/24 to the main router
#add chain=forward src-address=192.168.88.0/24 dst-address=192.168.1.1 action=accept
add chain=forward src-address=192.168.88.0/24 dst-address=192.168.1.0/24 action=drop