I already know the best answer is to replace all APs with MikroTik and I have done that with 4 APs. I am happy with the guest network with the MikroTik APs, controlled by CAPsMAN, where guests are on one subnet and non-guests are on another. However, there is one remaining Engenius AP I am trying to get working the way I want for guests.
The Engenius has a guest SSID feature which sets up a subnet separate from the non-guest SSIDs which are bridged to the router. It has a DHCP server and IP pool for guests and I guess does NAT from that subnet to the bridge. For a guest host, the router assigns an IP address from the local bridge pool. The host gets an address from the guest DHCP pool on the AP. My goal is to not use the guest feature of the Engenius.
The Engenius allows VLAN tagging for SSIDs, so I am trying to use that to get Engenius guests, with their unique SSID, to be part of the guest subnet of the router. The router is a CCR1009 which doesn’t have a switch chip. However, connected to it is a wAP G-5HacT2HnD and I could plug the cable to the Engenius into that if if it would help.
Of all the many things I have tried, the best I could do is get a proper IP address assigned to the Engenius guests but they could not get to the Internet. So I give up and am asking for advice on how to accomplish my goal.