Hello to everyone,

in the last few years I have used a RB3011 as my home network router without taking full advantage of it. Since last year I moved to my new house, where I was able to route cables and generally figure out the physical layout of my network. Then I had to pause the entire project and leave it at basically the standard configuration, but now the time has come to properly set up things.

I've attached my home current layout.

The two APs are ubiquiti nanoHD AC, the switch is a dumb TP-Link that I plan to upgrate to a PoE one in order to power up more security cameras. Right now all my PoE devices are powered by injectors.

As you can see, I am also experimenting with a server that runs Unraid and several things (torrent client, plex server, gitlab instance, etc etc.), but I have a few questions:

1) It seems to me that this setup is affected by double NAT, as i have two "jumps": ISP -> 192.168.1.0 -> 192.168.88.0. This makes accessing from internet complicated, am I right? How could I simplify things? My target is to be able to expose the home server to the internet in order to be able to answer to API call or enable services like gitlab to be available outside it.
2) I could setup the RB3011 as a PPPoE client and connecting directly to the ISP, but how could I do this while mantaining access to the draytek? It seems that the answer may be "VLAN", but that's uncharted territory for me...
3) I would like to segregate guest phones from family ones, is that something I should do on the ubiquiti config or on the RB3011 config? The RB is the one giving everybody IP and is the default gateway.
4) It is possible to restrict admin access to a handful of devices? I want to be able to tinker with RB settings only from this and that PC, even if I insert the right credentials in another devices. Or is this a bad idea?

Thank you for your time!

If the Draytek is anything like the Huawei and Zyxel DSL modems we get her in Ireland then you can configure them to bridge your connection and then have the RB3011 handle PPPoE.

On my old setup I used to do just this. Huawei Modem bridged, port 1 of the Huawei connected to Port 1 of the RB3011 and PPPoE client on that interface.

You can use Quickset on the RB3011 to configure your PPPoE Client and add a default firewall to get you started.

For management it really depends on how the Draytek can be configured, there's nothing technically wrong with having a normal IP address on an Ethernet port that also has the PPPoE client, I expect that can be configured at the Mikrotik end but it's anyone's guess whether the Draytek supports it. If it's not supported, you could probably make a separate connection from RB3011 to a different port on the Draytek for management.

For restrictions under IP / Services you can restrict access to Winbox, SSH etc based on source IP. Make sure you don't lock yourself out, for example it might be an idea to configure the Winbox restrictions while you're connected by SSH. Then test Winbox before applying your SSH restriction. And so on.

Sorry for the late reply, I had a few personal issues....

Thank you for the PPPoE quickset suggestion, I'll try it.
Also, with the current setup it's really hard for me to expose the home server to the net, I think is due to the double NAT.... How could I prevent such issue?
Sorry for thew really dumb questions, but it just has not "clicked" yet for me...