Yes I would use that too, but this location is very limited in what I can do and configure. They have a bunch of devices like DVRs and some other equipment on wich we don't have access credentials. It's a mess really!In an in-house network structured like that, you would normally use "bridge" mode instead of "routing" mode, so everything
is in a single subnet and all addresses are assigned by the router closest to the WAN (or are static).
The classroom should be allowed to access the main subnet (printers, etc) so there is no need for firewalling. So basically I should only NAT it, right?You can. If you want to keep that traffic separate from the rest you would have to put in firewall rules on the hAP that you put the new network on. The rules would keep the 2 subnets from contacting each other.
If you look at the default config of a MikroTik, you can see in /ip firewall nat the masquerade rule. Set your out-interface to be the bridge. Then the new DHCP network will be natted underneath the hAP that it's connected to. That is, if you want NAT. If not, you would have to route it.
Hopefully you follow what I'm saying.
So if I decided to use let's say eth4 for my subnet, I'm going to have to take it out of bridge1, assign an IP on it, for example 192.168.100.1/24, then set up a DHCP server on eth4 wich has a pool of 192.168.100.2 - 192.168.100.254, subnet 255.255.255.0 and the gateway 192.168.100.1, then masquerade In. Interface eth4 with Out. Interface bridge1?Yeah, NAT will work as long as they know the address of the printer in the other network and whatever else they need to get to.
Some modern devices assume everything is in the same L2 domain so they can discover each other so you might lose that. mdns, ssdp and such. There might be a way to make this stuff work across subnets if you need, I haven't studied that. Or hopefully you just don't need it.
Perfect!You are mostly correct.
As of 6.40, there is no more master/slave config.
But the concept is the same. eth4 cannot be bridged or a slave of any other interface, it becomes separate (a routing interface instead of a switch interface). You put an IP on that interface, say 192.168.100.1/24 from your example, and the rest of your DHCP server config is correct.
I'm not sure if you need an in-interface in the masquerade rule. Try without it.