First a little constructive criticism...get off the bridge kick. The convenience of 'seeing' everything at once is costing you 30%+ in lost bandwidth capability. Use 'The Dude' or some other program to monitor your network. Save the backhaul and AP IPs in Winbox so you can jump right to them..... Use routing - any flavor, static, BGP, RIP, or OSPF.... Ok - I'll get down off of my soap box now.... :)
So what is the problem? You put an IP on the RB433ah on the backhaul side in the same range as the rest of your bridged network, you can see it right away. The way you have it set, that means you can see the AP (xr2) at the same time.... 1) Are you thinking to bridge the backhaul and the AP together? 2) Or is it that you want to also see the clients behind the AP and have them show as only the IP from the bridged backhaul?
1) You could invoke the Bridge, use IP firewall under winbox bridge settings and then nat the clients 'normally' under /ip firewall nat. You'll probably also have to set the backhaul in pseudo-bridge mode instead of station mode. I would not recommend this method.
2) Give the AP a new IP, different network than the bridge. Setup a DHCP server on the AP interface. Set DNS, gateway, authoritive, always broadcast, no BOOTP support, etc on the DHCP server. Setup access control like, PPoE, OR access list, connect list, and security settings (so only your clients connect to your network). Next, use /ip firewall src-nat to masquerade the clients as their requests go out the backhaul interface.... chain=src-nat out-interface=backhaul action=masquerade .....
To see the clients under method 2, you need to add a route to that network to your main router and point it at the RB433ah backhaul IP address. That way when you make a request to 'see' them the main router will send this to the RB433ah which will take care of it from there.
thom.lawless [at] rapidwifi.com