I recently replaced my aging UBNT gear with a Deco system, currently configured in Router mode and happily serving the family WiFi and wired clients. We’ll call this the “house” network (default of 192.168.68.0/22)
 

My lab for work has its own networks that sit behind a mikrotik router, its WAN port attached to the Main Deco LAN port with a dedicated IP (192.168.68.100) and the default route set to 192.168.68.1.

I've then set static routes on the Deco for each of the destination networks behind that router (destinations like 192.168.2.0/24, 192.168.3.0/24) with the gateway set to 192.168.68.100 so traffic going to the VLANs in the lab get routed to the IP for the mikrotik WAN port. There’s no NAT or firewall configured in the mikrotik.   This works as expected and I can access resources in all the lab networks from the house network, and vica-versa.   

What does not work is any internet access from the lab networks. It almost seems like the Deco is blocking (or blackholing) any internet traffic that’s coming from an IP behind the router. Curious if this is by design or do I have to do something special with my static routes/have the downstream router plugged into a specific port on the Deco. If I have to I can configure the mikrotik to NAT the traffic but would prefer not to as it does complicate access into those resources.   This has worked fine in the past with my previous Wifi solution by just setting the static routes in the router attached to the internet.

My Static Route is defined as:
Ntework Destination:  192.168.2.0
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.68.100
Interface: LAN

Any suggestions?