Hi guys,
I'm facing a rare problem at one of my client's location.

We recently put 2 hAP Lites in two rooms in wich both serve wifi and ethernet to mobile and desktop clients via a switch in each room. Each hAP have its own DHCP and IP pool in different subnets. The first hAP gets its wan from the main office's ONT, the second hAP is connected to the first hAP lite. Please see my attached diagram.

Now, the problem!

There are two DVRs wich needs to be accessed from either the main office, room 1 or room 2. The problem is that those DVRs are unaccessible and we cannot change their IP configuration. They have static IPs set in a different subnet. Previously, they were connected via ethernet directly to the old ONT but the layout of the building changed this year. They are behind the second hAP Lite as in the diagram attached.

Is there a way to configure the main ONT and the two hAP Lites in order to be able to access the DVRs from within each subnet?

The ONT is in 192.168.1.0/24
The first hAP is in 192.168.88.0/24
The second hAP is in 192.168.89.0/24
The DVRs have a static 192.168.1.222 and 192.168.1.111

Is this possible using static routes and port forwarding or do I need to reconfigure the hAPs and make them as bridges so that the main ONT serves as DHCP server for all devices in all rooms but I would like not to do that.

In an in-house network structured like that, you would normally use "bridge" mode instead of "routing" mode, so everything
is in a single subnet and all addresses are assigned by the router closest to the WAN (or are static).

In an in-house network structured like that, you would normally use "bridge" mode instead of "routing" mode, so everything
is in a single subnet and all addresses are assigned by the router closest to the WAN (or are static).

Yes I would use that too, but this location is very limited in what I can do and configure. They have a bunch of devices like DVRs and some other equipment on wich we don't have access credentials. It's a mess really!
Also, that ONT they have there is garbage, I wouldn't want that to manage the network in there.

You don't need any access to anything else than MikroTiks, to make it more simple (unless, clients in room 2 and 3 have static IPs on their devices). Just make these MikroTiks in "bridge mode", so they rather behave like swicthes with AP than routers. Right now, clients of the last MikroTik are behind 3 NATs!
If you set up MikroTiks let's say to addresses 192.168.1.254 (room1) and 192.168.1.253 (room2) and you make them as switches, you can also use CAPsMAN to configure WiFi, so you will have clients manageable on only one of these devices.

I put them in bridge mode today and everything is fine now.

I will have to re-configure them in spring, I'll check and see what options I have because I don't like the cheap ONT being the "brain" of the whole LAN. Maybe I can play with ports and multiple bridges and do separate subnets for each rooms and also use one of the ports to connect the DVRs in the main subnet. I have an ideea but I'll have to test it.

Thanks everyone

Of course you can do that, but I would recommend using different VLAN for the different purposes and still bridge those across all the devices.
In the new version all the different VLANs should be setup in the same bridge, but you can specify on which ports they are tagged and untagged.
Then you can use a port with tagged VLANs (often called a trunk) to interconnect all the routers and use untagged ports to connect each device to its VLAN.

It should become more common practice to do this as even in a home setting it is more prudent to have separate networks for e.g. IoT devices, computers, guests etc.
(we have had this for a long time on our company network and I do this at home as well, but until now it was just too complicated for the average home user - this should become simpler as device manufacturers realize that security is important and should be easy or automatic)

I'm reviving this topic as I'm back tomorrow at that location.

Currently the HAPs are now in bridge mode and all is fine but now I need to put a DHCP server on one interface on the first HAP that will give a classroom IPs for devices while having Internet acces of course.

The HAP being now in bridge mode can I just take for example eth4, assign an IP, a pool and DHCP and the rest of the ports will still act as a bridge as they are now?

Sent from my STH100-2 using Tapatalk

You can. If you want to keep that traffic separate from the rest you would have to put in firewall rules on the hAP that you put the new network on. The rules would keep the 2 subnets from contacting each other.

If you look at the default config of a MikroTik, you can see in /ip firewall nat the masquerade rule. Set your out-interface to be the bridge. Then the new DHCP network will be natted underneath the hAP that it's connected to. That is, if you want NAT. If not, you would have to route it.

Hopefully you follow what I'm saying.

You can. If you want to keep that traffic separate from the rest you would have to put in firewall rules on the hAP that you put the new network on. The rules would keep the 2 subnets from contacting each other.

If you look at the default config of a MikroTik, you can see in /ip firewall nat the masquerade rule. Set your out-interface to be the bridge. Then the new DHCP network will be natted underneath the hAP that it's connected to. That is, if you want NAT. If not, you would have to route it.

Hopefully you follow what I'm saying.

The classroom should be allowed to access the main subnet (printers, etc) so there is no need for firewalling. So basically I should only NAT it, right?

Yeah, NAT will work as long as they know the address of the printer in the other network and whatever else they need to get to.

Some modern devices assume everything is in the same L2 domain so they can discover each other so you might lose that. mdns, ssdp and such. There might be a way to make this stuff work across subnets if you need, I haven't studied that. Or hopefully you just don't need it.

Yeah, NAT will work as long as they know the address of the printer in the other network and whatever else they need to get to.

Some modern devices assume everything is in the same L2 domain so they can discover each other so you might lose that. mdns, ssdp and such. There might be a way to make this stuff work across subnets if you need, I haven't studied that. Or hopefully you just don't need it.

So if I decided to use let's say eth4 for my subnet, I'm going to have to take it out of bridge1, assign an IP on it, for example 192.168.100.1/24, then set up a DHCP server on eth4 wich has a pool of 192.168.100.2 - 192.168.100.254, subnet 255.255.255.0 and the gateway 192.168.100.1, then masquerade In. Interface eth4 with Out. Interface bridge1?

bridge1 currently have eth2 and wlan as ports. Should set eth4 as not slave of eth2?
Currently the HAP Lite have all its ports bridged, no NAT, no IPs, it acts as a switch.

You are mostly correct.

As of 6.40, there is no more master/slave config.

But the concept is the same. eth4 cannot be bridged or a slave of any other interface, it becomes separate (a routing interface instead of a switch interface). You put an IP on that interface, say 192.168.100.1/24 from your example, and the rest of your DHCP server config is correct.

I'm not sure if you need an in-interface in the masquerade rule. Try without it.

You are mostly correct.

As of 6.40, there is no more master/slave config.

But the concept is the same. eth4 cannot be bridged or a slave of any other interface, it becomes separate (a routing interface instead of a switch interface). You put an IP on that interface, say 192.168.100.1/24 from your example, and the rest of your DHCP server config is correct.

I'm not sure if you need an in-interface in the masquerade rule. Try without it.

Perfect!
I'll try it and get back with the results!

Thanks!