I personally think its much better security wise to have total control over what comes in and out of the router to devices behind the router.
Double NAT means that the IP the modem/gateway gives you is a private IP already and thus if you want to have the ability for outside users to gain access to any of your devices, (typical are for example, being able to print something from away, access to a database, RDP traffic, game server, FTP server etc..........) Becomes much more difficult because you have to go to the modem gateway and forward all incoming traffic on that port to the private IP its giving you, then you have to do the same on the router. You lose fidelity of how you can control the traffic, especially if port forwarding limitations exist on the modem gateway. The modem gateway may have other built in limitations such as throughput allowed, whether or not VPN is permitted or perhaps limited to some types.......... etc...... Its a smorgasbord of unknowns. For the typical home user its usually fine but for business level needs, its a abhorrent.
Got it, I'll just get another AP then.
The APs should work fine if they can vlan tag!
So my question is,.......... what is providing the hotspot service, another device or the mikrotik router??
Yes, they can vlan tag. But how do I check that the tags work properly? Is it possible to route the VLAN tag so that only a specific tag is routed to different hotspot service?
So, VLAN tag 10 --> hotspot service A with only a confirmation and ToS page. Users just have to press the "Login" button
VLAN tag 20 --> hostspot service B with usual user:password entry
The hotspot service will be handled by the RB750r2
Your answer also indicated something new, that perhaps along with the office and guest users, there will be separate home wifi users ON THE TWO APs downstair and upstairs?
Or we you simply referring to the home users currently connecting to the modem gateway (which will probably get their own AP??)
In total, there will be 4 APs.
2 APs for the home users (the first one is the Modem/AP that I proposed in my initial topology, but from your input I'll just plug another AP on ether4 and bridge ether2+ether4 together?)
2 APs for office 2 VAPs each