You can accomplish what you ask by using a combination of bridges, EoIP tunnels and IPsec.
First you create an EoIP tunnel on both sides so that both routers can talk to each other.
EoIP is a MikroTik proprietary tunnel that works quite like GRE proto 47.
It can forward whole ethernet frames not just IP (like IPIP or TAP interface for example) making it ideal to 'expand' L2 broadcast domains over L3 links.
Then you setup IPsec to encrypt the communications over the tunnel.
On the latest versions of Mikrotik this can be done automatically from the EoIP interface settings, though I prefer setting this up manually for better control.
You apply the IPsec policies on the EoIP tunnels endpoint IPs (so encrypting the whole EoIP tunnel traffic) and not for the networks passing through the tunnel.
And finally you create a bridge on both routers and attach the ethernet port(s) and the EoIP tunnel on each side.
This way you can expand the L2 broadcast domain to the remote side and the bridge will take care of which packets should go over the tunnel and which should stay locally.
Bridges are like software switches so they keep a table of which MACs are on which ports and automatically forward packets that are destined to which ever port. All broadcast traffic will be forwarded to the tunnel of course.
More info on bridges
On the official MikroTik documentation this scenario is already documented (with the exception of the IPsec encryption).
Let us assume we want to bridge two networks: 'Office LAN' and 'Remote
LAN'. By using EoIP setup can be made so that Office and Remote LANs
are in the same Layer2 broadcast domain.
Consider following setup:
As you know wireless station cannot be bridged, to overcome this
limitation (not involving WDS) we will create EoIP tunnel over the
wireless link and bridge it with interfaces connected to local
networks.
We will not cover wireless configuration in this example, lets assume
that wireless link is already established
At first we create EoIP tunnel on our gateway ...
[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \
\... remote-address=10.0.0.2
[admin@Our_GW] interface eoip> enable eoip-remote
[admin@Our_GW] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0
[admin@Our_GW] interface eoip>
... and on Remote router
[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \
\... remote-address=10.0.0.1
[admin@Remote] interface eoip> enable eoip-main
[admin@Remote] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0
[admin@Remote] interface eoip>
Next step is to bridge local interfaces with EoIP tunnel On Our GW ...
[admin@Our_GW] interface bridge> add
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 eoip-remote bridge1 128 10
1 office-eth bridge1 128 10
[admin@Our_GW] interface bridge>
... and Remote router:
[admin@Remote] interface bridge> add
[admin@Remote] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether
[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main
[admin@Remote] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 ether bridge1 128 10
1 eoip-main bridge1 128 10
[admin@Remote] interface bridge>
Now both sites are in the same Layer2 broadcast domain. You can set up
IP addresses from the same network on both sites.
And you also need to setup IPSec.
More info here
Keep in mind that IPsec while the most secure way to communicate on Mikrotik at this moment it's rather CPU hungry unless your routers have hardware acceleration. So if you are using simple routerboard don't expect anything more than 10-15mbits of throughput.
If your routers have dynamic internet IPs then you will need to use the IP > Cloud feature of MikroTik to get a Dynamic DNS and then use those DynDNS with a little scripting to automatically update the IPs on the EoIP tunnels and IPsec peers and policies when your public IPs change.
Finally I assume that your connections to the internet have at best a MTU of 1500bytes.
Using the tunnel and EoIP you will need to lower the EoIP tunnel interface MTU in the realm of 1400bytes (you'd better do some testing to find out the best value for your setup/traffic).
For my setup/traffic I use 1400bytes. Unfortunately due to the nature of IPsec depending on the size of your packets the overhead is variable so you can't always get the best out of it.
Just bridge every interface on hAP and it will act essentially as a switch.
That's it pretty much.
Then remove or disable any dhcp-server instances on IP > DHCP-Server.
Since you do not provide any configuration exports it's impossible to provide you with any commands on how to do the above since every mikrotik installation is kind of unique. You could have implemented your current setup in many different ways. We need to know your current configuration to be able to provide you with any commands.
DHCP relay has nothing to do with what you ask so don't confuse yourself with that.
Also, winbox works fine on Linux using Wine. That's the official way of running Winbox on non-windows machines.
Without winbox it just makes the whole procedure that much more difficult since you might lose access to mikrotik in order to change its IP to the FritzBox subnet (Winbox can find and connect to a mikrotik router even if it's not accessible via IP). If you don't understand what you are doing (blindly copying/pasting commands) you may end up having to reset the whole configuration to gain access again.
IMHO you should configure the FritzBox to act as a PPPoE bridge and use Mikrotik to dial (pppoe-client) to the ISP to establish the internet connection.
This way FritzBox will act as a modem and nothing more. And hAP will act as a powerful router. Having Mikrotik obtain the public IP you avoid double NATs and most importantly you can take advantage of all mikrotik's features. You can create very advanced configurations that I highly doubt that FritzBox (or any other consumer dsl modem for that matter) can do.
Best Answer
The problem is that Lan1 or Cisco or 10.94.x.x Don't have a route to the Lan2 network. So you either have to write a route in cisco/10.94.x.x for the lan1 (192.168.100.0/24) or write a NAT rule in mikrotik to obtain access.
For instance in Cisco router(config mode) you can do:
and a route in the mikrotik for 10.94 network:
(I assume mikrotik IP is 192.168.0.1)
or Do a NAT in mikrotik which seems a better way like this:
or even a masquerade for all to make every packet passing Mikrotik route-able :