I’m a bit n00b in networking so I thought i could ask for advise to clear the steps i need to take here. I need to secure down the wifi traffic in public place where there is a high sniffing/exploiting chance as many random secure/unsecure networks are around and lot of random people are around .
My idea was to create a L2TP/IPSEC setup to secure the data passing between authorised client and router (from router it goes over physical wire so this does not make me worry too much right now) in a way that users who connect to wifi will have no access to internet before the L2TP/IPSEC connection is up . And latter also securing verified clients to not have access to internet within specific wifi area before secure connection is up (like the basis of “always on VPN” in android devices with some firewall rules) so their traffic would not leak before secure connection allows it. Is this a reasonable configuration to achieve with routerboard, osx clients and android clients?
you need to add two different IP address Pool. One for WiFi DHCP pool, another IP Pool for VPN,
do not NAT WiFI DHCP Pool, this Pool only use for WiFi connectivity with the client.
Create NAT rules on VPN POOL, so any of your client first connect unsecure wifi network then they will dial in via vpn client and got NATED IP from mikrotik vpn server and will get internet access via secure wireless link.