Hi everyone.

I'm looking for help on setting up a solid solution for accessing virtual AP using two distant devices (and possibly via VLAN).

My hardware configuration is the following:
uplink<->[eth1]CRS109-8G-1S-2HnD[eth7]<->CRS112-8G-4S-IN<->RBwAP2nD

CRS112-8G-4S-IN works as a switch, RBwAP2nD works as an AP bridge. All the devices are connected via single ethernet cables (an because of physical limitations, I cannot change it adding other links). eth addressing space is flat 192.168.88.0/24 and DHCP is bound to the bridge on CRS109-8G-1S-2HnD.

CRS109-8G-1S-2HnD has two virtual APs: internal.IOT(1) and external.IOT(2). They use separate bridges, addressing spaces (192.168.100.0/24 and 192.168.90.0/24, respectively). Network (1) has disabled routing outside, via firewall drop rule.

On the other "end", RBwAP2nD hosts a "technical" AP, that is required at the moment. As it works as a bridge, all devices connecting to the RBwAP2nD get 192.168.88.0/24 IPs from the DHCP server located on the CRS109-8G-1S-2HnD.

So far it works perfectly.
---
The thing I need to add to this infrastructure is to add an "internal.IOT" network, hosted by the RBwAP2nD as virtual AP, parallel to the existing "technical" AP. However, I need to make this network bound to the "internal.IOT" hosted by CRS109-8G-1S-2HnD to constitute solid and consistent subnetwork, without routing to the public one, yet devices connected to "internal.IOT" on CRS109-8G-1S-2HnD should be able to "see" devices connected to "internal.IOT" hosted by RBwAP2nD. They use separate addressing space (192.168.100.0/24) and DHCP is located on the CRS109-8G-1S-2HnD. I assume I must somehow "tunnel" the "internal.IOT" between CRS109-8G-1S-2HnD and RBwAP2nD, possibly over VLAN on eth, but have no clue how to start the configuration.

Any help is really appreciated.

Regards,

P.