Greetings everyone,
First of all, I’m really new to Mikrotik environment and networking in general so I apologise in advance if the following questions seem rather ridiculous. Please bear with me 
I just bought an hAP ax3 as my second router and after reading here and there, I successfully managed to put it to use. Here’s the topology:
- ONT ISP 1 (192.168.1.1) & ONT ISP 2 (192.168.18.1), connected to my first router (non Mikrotik) via PPPoE connection. Subnet used on this router is 192.168.2.0/24. This is my main subnet for the family (PCs, IoT, etc. all of them.)
- Router is connected to hAP ax3 via static ip.
Then on this Mikrotik, I created 2 subnets (one for general dhcp and one for hotspot).
/ip address
add address=192.168.2.2/24 interface=ether1 network=192.168.2.0
add address=10.10.0.1/24 interface=bridge-hotspot network=10.10.0.0
add address=192.168.3.1/24 interface=bridge-lan network=192.168.3.0
Everything goes smoothly. Those two subnets can reach the internet successfully. No issue whatsoever connection-wise. But the problem occurs when the hotspot subnet can reach the subnet on the main router (but not the subnet used on dhcp-lan) and also it can access the ONTs. So I make firewall rules, not sure if the rules are correct but after implementing them (and please do correct me if something is off with the rules), the hotspot subnet cannot reach the subnets anymore, which is great.
/ip firewall filter
add action=drop chain=forward comment="disable traffic from hotspot to 192.168.2.0/24" \
connection-state=invalid,new dst-address=192.168.2.0/24 src-address=10.10.0.0/24
add action=drop chain=forward comment="disable traffic from hotspot to 192.168.1.0/24" \
connection-state=invalid,new dst-address=192.168.1.0/24 src-address=10.10.0.0/24
add action=drop chain=forward comment="disable traffic from hotspot to 192.168.18.0/24" \
connection-state=invalid,new dst-address=192.168.18.0/24 src-address=10.10.0.0/24
Now I would like to access hotspot APs from my dhcp-lan (192.168.3.0/24). The reason is that I need to manage the APs settings (wifi channels, firmware update) from time to time. I have put them on IP bindings if it makes sense
/ip hotspot ip-binding
add address=10.10.0.2 comment="Access Point 1" to-address=10.10.0.2 type=\
bypassed
add address=10.10.0.3 comment="Access Point 2" to-address=10.10.0.3 \
type=bypassed
add address=10.10.0.4 comment=UNUSED to-address=10.10.0.4 type=bypassed
add address=10.10.0.5 comment="Access Point 4" to-address=10.10.0.5 \
type=bypassed
add address=10.10.0.6 comment="Access Point 5" to-address=\
10.10.0.6 type=bypassed
add address=10.10.0.7 comment=UNUSED to-address=10.10.0.7 type=bypassed
add address=10.10.0.8 comment="Access Point 8" to-address=10.10.0.8 \
type=bypassed
but with the following rules, I cannot reach them:
add action=accept chain=forward connection-state=established,related dst-address-list=\
hotspot_ap in-interface=bridge-lan log=yes src-address=192.168.3.0/24
add action=accept chain=forward connection-state=new dst-address-list=hotspot_ap \
in-interface=bridge-lan log=yes src-address=192.168.3.0/24
*hotspot_ap = APs on the hotspot subnet.
So I was wondering what the right rules are to access the APs from 192.168.3.0/24 (but maintain the restricted access from the hotspot to the lan subnet). Also, for the same reason, is it possible to access those APs from my main router (192.168.2.0/24)? Due to the fact that it isn’t a Mikrotik, I’m afraid that I can’t set any advanced firewall rules on the router. I realise that it will be much easier to get rid of the router and solely use the hAP for the sake of simplicity and ease of management, but since I’m still a noob, I figure it’ll be safer to use the non-mikrotik for the main machine for now.
Thank you so much in advance. Sorry for the bad English. It’s not my mother tongue.
Cheers!