By the way, how do I make their router transparent? so that I still have my rb3011 "in charge"?
I figure set DMZ on one of the ports and disable firewall? Will the MT still transmit to the cloud the correct WAN ip?
DMZ is still a NAT, so in Mikrotik syntax, it says /ip firewall nat add chain=dstnat in-interface=WAN action=dst-nat to-addresses=ip.address.on.lan
. In the opposite direction, it src-nats whatever comes from the LAN to the WAN (public) IP. So if your 3011 will be the only device on the Verizon router's LAN, there should be no issue except if the Verizon router doesn't keep source ports unchanged.
Double NAT is not as bad as it is often portrayed, so traffic to/from your actual LAN (behind the 3011) will not suffer from that, you just may have to modify the NAT rules on the 3011 to reflect the fact that its WAN IP will be different (or you may not if you use action=masquerade
chain and in-interface
chain). So the only issue may be that if you have an IPsec connection between the 3011 and some other router at a public address, the IPsec transport packets would get UDP-encapsulated to handle the NAT, i.e. the amount of overhead per byte of the payload would grow a bit. If the Verizon box can handle NAT of ESP, even this can be overcome.