Hi!

Unfortunately I can not install more wires and I have a weird (for my networking skills) situation to address.
I want to separate customers and home network both connecting through ether3

One way would be through static ips / dhcp ips and address lists with firewall filters
I wonder if there is any other more appropriate way to do this

Suggestions?

Study the possibilities of a VLAN!

As pe1chl writes VLAN.

I have 2 Ubiquiti APs on same ether with two SSID (home and guest) they are configured with VLAN, in the AP I have assigned the VLAN and they get appropriate IPs from DHCP servers I have configured - I have also set max and up and download speed on the APs so guest is limited to 1 Mbps download and 0,5 upload.

Thank you for your time helping me.

Before posting I spent a few days trying to find out what I could do, but my networking skills didn't allow me to accomplish what I am looking for.

I tried VLAN but as I use unmanaged switches and everything comes to port ether3,
HOW can I distinguish which client gets vlan-customers and which vlan-home

You have customers to support and you are using unmanaged switched not capable of doing and isolating VLANs?
This sounds like a bad situation...
First get some new switches at the point where your customers connect.
Only when you manage the routers at the customer site as well, you could run VLAN over unmanaged switches and
terminate it in those routers.

We are talking about a small B&B in Greece which until last year there was only a modem/router from the ISP.
Also, if you see how the network cables are patched you will wonder if anything is working!
The mikrotik is a huge improvement for the time being and I am trying to make things work until end of season when we will be able to fix more problems (managed switch, installation of a patch panel etc.)

So, what other options do I have?
I thought, I could set static arp records for home devices (desktops, smartphones, etc), wifi APs
and then let the dhcp server add dynamic arp records. Also, set ether3 to arp-reply so nobody can set static ip.

But to make it more elegant, I would like to use different xxx.xxx.xxx.xx/24 subnet
for example
home 192.168.1.0/24
customers 192.168.2.0/24

Is it possible to use two subnets on the same interface? Or is it possible to set a bigger one like 192.168.0.0/16 and then change dhcp settings to only provide 192.168.2.0/24 for dhcp clients and use static ips of 192.168.1.0/24 for home devices?

It is no problem to use 2 subnets on the same network but in this case you can use dynamic address assingment
using DHCP only on one subnet.
This means that you can use DHCP for customers and you will have to set fixed addresses for the other network.
These can still be assigned to the equipment using DHCP but then you need to add static entries for every device
in the MikroTik. This can be done by first running DHCP with a pool, switching everything off-on and then making
all the entries static in the WebFig.
At the end you leave only a pool for the customer subnet and you have 2 subnets which you can then isolate using
forward rules in the firewall.
Of course this does not really separate the networks, anyone peeking around can see what is going on and attack
the equipment directly.

When you get a VLAN switch you can really isolate the networks. When it is a good one it can even isolate the ports
in a single VLAN from eachother, which is good to have in such a situation.
I.E. you have a single customer VLAN and all customers can talk to the router and the internet, but the customers
cannot talk to eachother directly via the switch, only via the router.
When such a switch is too expensive for you, you can still get a cheap VLAN capable switch and make a separate
VLAN for each room each with its own DHCP server in the MikroTik and configured so they can all access the
internet but not talk to eachother.

can you please write an example of the settings?
for ip address and dhcp server

One idea I just had,
is it possible to use hotspot so anyone who logins with username guest:guest would go into vlan-customers
and anyone who logins with username staff:supersecurepassword! would go into vlan-staff
?

One idea I just had,
is it possible to use hotspot so anyone who logins with username guest:guest would go into vlan-customers
and anyone who logins with username staff:supersecurepassword! would go into vlan-staff
?

Answering to myself....
Can't do cause vlan is "hardware" based
Instead of vlan I could use address lists but again too much trouble with hotspot as I can manually set trusted address list and the rest would be customers address list

again, i need an example on how to give the ip subnets 192.168.1.0/24 for static arp records and 192.168.2.0/24 for dhcp dynamic arp records in the same ether3

settings for
ip->address
and
ip->dhcp server and network settings
please!

You can use Hotspot on ethernet 3. And use walled garden to filter out the MAC address which should bypass the Hotspot (for example, your phone, your laptop, printer etc... should be in that list).

Here the wiki:

http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

Bad thing: your (private) traffic will also be unsecured.