I'm trying to configure my RouterBoard to connect to my Hotspot as well as provide an wireless network to users inclyding Intenret access.

- I;ve set up the physical wlan as a station and have it connected to the hotspot.
- I've added a virtual wlan as an ap bridge, set the laster to the physical wlan.
- I've added a port forward for winbox access to the config

What I'm struggling with is sharing the internet connection from the physical wlan1 to the virtual wlan2 so users can connect, view network resources (including the webfig) and access the internet.

Any help welcome. I'm a bit of a noob to routing and this device, but generally IT savvy.

Nothing really different from a basic "home CPE with DHCP uplink" setup, except the interfaces. The WAN (physical wireless interface) needs a DHCP client attached to it which you apparently have; the NAT part of the firewall must masquerade the traffic leaving through that interface and should block all incoming connections via that interface, maybe even connections to the router itself from the wireless clients. Then, attach an IP address from a private subnet to the wireless LAN (the virtual wireless interface in AP mode), create an ip pool in that subnet, an /ip dhcp-server network profile (specifying the own address of Mikrotik in that network as gateway and possibly also as DNS server - if so, you have to permit access to router's own UDP port 53 to the wireless client), attach an /ip dhcp-server to the interface, tell it to use the pool, and enable it.

Huge thanks - that's really helpful. I think I can figure out how to do all that.

This is for a boat based network. The objective is as described (and - with a minor tweak to install a LTE modem connected by ethernet - should also enable me to do remote monitoring and management).

So for clarity, there would be

- 1 ethernet network for the ship board devices (including firewalled access to the internet for firmware upgrades etc)
- 1 wireless lan (virtual) providing connectivity to wireless devices (on board guests, my laptop, the odd wirelessly connected monitoring device on board)
- 1 wireless lan (Physical) connecting to the hotspot (or ethernet when I replace hotspot access with a wired LTE modem - in which case the virtual wireless lan becomes the physical one)

Given the last point, perhaps it makes more sense for the guest wlan to be physical in ap mode (and the hotspot connection to be virtual in station mode).

And then I have to figure out how to get reliable remote access when I'm away from the boat - which means some sort of dynamic dns setup if the ISP changes IP addresses. Compliucation here is that it'snot just access to the webfig, but some on boartd devices have web interfaces for monitoring and management - so I guess I either have to ex[pose the entire network or port forward the specific adderesses/services I want remote access to.

perhaps it makes more sense for the guest wlan to be physical in ap mode (and the hotspot connection to be virtual in station mode).

This is not possible. The STA (station, client) must follow the frequency of the AP it is associated to, so the physical wireless interface must be in station mode, and the AP(s) must be the virtual one(s).

Once you connect the LTE device using Ethernet, you have to reconfigure the WLAN, as the Mikrotik STA interface will keep switching channel to find the AP and the clients of the virtual APs will be unable to keep track with that (been there, seen that).

Have you considered to use a wAP ac LTE kit?

And then I have to figure out how to get reliable remote access when I'm away from the boat - which means some sort of dynamic dns setup if the ISP changes IP addresses.

The best way here is a VPN where the sailing Tik acts as a client/initiator and connects to a server/responder with a static public IP address, so the IP of the sailing Tik need even not be a public one (leaving aside that I have seen a U.S. mobile operator to assign public IPs to LTE devices but these were not routable from the internet and outgoing connections from those devices got NATed to other public addresses).

If you want/have to stick with directly connecting to the sailing Tik, a dynamic DNS domain name comes bundled with every Mikrotik device, they call it "cloud" service. It did have a several days outage a few months ago, though, so a backup service is highly recommended.

Compliucation here is that it'snot just access to the webfig, but some on boartd devices have web interfaces for monitoring and management - so I guess I either have to ex[pose the entire network or port forward the specific adderesses/services I want remote access to.

Also here I'd say a VPN is a better solution, and in fact the only secure one if some of the web interfaces do not support HTTPS. Port forwarding works, but the method of protecting credentials in HTTP is too weak by today's standards. Restricting access to only a list of allowed addresses is possible (but not nearly as secure as a VPN), plus if you do have static addresses to put on that list, you should be able to run a VPN server on one of them. And then you can connect your laptop or phone to the same VPN and access everyting in the boat LAN from anywhere.

Wasn't aware of MikroTik's wAP ac LTE kit Access, but I have a Netgear LTE box that I've tested and works well enough. It doesn't provide an AP - just a wired connection to the Mikrotik box,but it gives Mikrotik the WAN connectivity I need. I don't have massive bandwidth or many client devices. That said, I'm not sure I fully understand the benefits of the Mikrotik LTE kit vs what I have so I'll try and do some research on that.

Sindy, I'm not a professional, but I will try and implement as much of your advice as I can over the next days. But so I know, are there professional services you can recommend that can help me get this done if it turns out to be above my paygrade? Not sure of the ettiquette here, but you for example

I have a Netgear LTE box that I've tested and works well enough. It doesn't provide an AP - just a wired connection to the Mikrotik box,
...
I'm not sure I fully understand the benefits of the Mikrotik LTE kit vs what I have so I'll try and do some research on that.

From your wording it wasn't clear to me you've already got the LTE box with Ethernet interface. Given that fact, it is probably not worth it to use the wAP ac instead of a combination of the Netgear and your current Mikrotik. An all-in-one solution is in general better, but such an advantage is gone once you need more than two wired Ethernet interfaces. The wide range of power supply voltage is also not bad in mobile installations (no external regulators/adaptors required) but I know nothing about the Netgear so this may not be an advantage at all.

But so I know, are there professional services you can recommend that can help me get this done if it turns out to be above my paygrade? Not sure of the ettiquette here, but you for example

There is an official list of Mikrotik consultants, so I'd assume finding a consultant geographically and language-wise close to you should not be a big deal. To get on that list, people have to successfully pass trainings so all of them should have enough qualification for the task. I personally prefer to help people develop their own skills to setting things up for them, but I am always ready to push you in the right direction if you get stuck on that way.

Just bear in mind that whoever you outsource your security to is in the best position to take it away from you. So when it comes to configuring VPNs, firewalls etc., be sure you understand enough to be able to identify and close any backdoor once the consultant's job is done.