CAPsMAN

/caps-man provisioning
add action=create-disabled comment=dsw3 hw-supported-modes=gn \
    master-configuration=office_staff_local name-format=prefix name-prefix=\
    dsw3_ radio-mac=xx:xx:xx:xx:xx:xx slave-configurations=\
    office_royal_local,office_workshop_local,office_guest_local

/caps-man configuration
.....
add channel=auto country=ukraine datapath=office_guest_local mode=ap name=\
    office_guest_local security=office_guest ssid=guest
.....

/caps-man datapath
add client-to-client-forwarding=no local-forwarding=yes name=\
    office_guest_local

/caps-man radio> print
Flags: L - local, P - provisioned 
 #    RADIO-MAC         INTERFACE     REMOTE-CAP-NAME    REMOTE-CAP-IDENTITY   
 0  P xx:xx:xx:xx:xx:xx dsw3_1        CAP-xxxxxxxxxxxxxx   dsw3.workshop   

/caps-man interface> print
Flags: M - master, D - dynamic, B - bound, 
X - disabled, I - inactive, R - running 
 #      NAME                 RADIO-MAC         MASTER-INTERFACE                
 0 M BR dsw3_1               xx:xx:xx:xx:xx:xx none                            
 1   B  dsw3_1-1             00:00:00:00:00:00 dsw3_1                          
 2   B  dsw3_1-2             00:00:00:00:00:00 dsw3_1                          
 3   B  dsw3_1-3             00:00:00:00:00:00 dsw3_1

/interface wireless> print
Flags: X - disabled, R - running 
 0  R ;;; managed by CAPsMAN
      ;;; channel: 2427/20-Ce/gn(20dBm), SSID: staff, local forwarding
      name="wlan1" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=Atheros AR9300 mode=ap-bridge ssid="MikroTik-092640" 
      frequency=2412 band=2ghz-b/g/n channel-width=20/40mhz-Ce 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R ;;; managed by CAPsMAN
      ;;; SSID: workshop, local forwarding
      name="wlan69" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

 2  R ;;; managed by CAPsMAN
      ;;; SSID: royal, local forwarding
      name="wlan70" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

 3  R ;;; managed by CAPsMAN
      ;;; SSID: guest, local forwarding
      name="wlan71" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    wlan1                  br.12.staff             0x80         10       none
 1    vlan102.managment      br.102.managment        0x80         10       none
 2    vlan12.dsw3.ccr        br.12.staff             0x80         10       none
 3    vlan1.dsw1.ccr         br.1.royal              0x80         10       none
 4    vlan52.dsw3.ccr        br.52.guest             0x80         10       none
 5    vlan9.dsw3.ccr         br9.workshop            0x80         10       none
 6    wlan69                 br9.workshop            0x80         10       none
 7    wlan71                 br.52.guest             0x80         10       none
 8    ether21-slave-local    br9.workshop            0x80         10       none
 9    wlan70                 br.1.royal              0x80         10       none

/interface wireless> print
Flags: X - disabled, R - running 
 0  R ;;; managed by CAPsMAN
      ;;; channel: 2412/20-Ce/gn(20dBm), SSID: staff, local forwarding
      name="wlan1" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=Atheros AR9300 mode=ap-bridge ssid="MikroTik-092640" 
      frequency=2412 band=2ghz-b/g/n channel-width=20/40mhz-Ce 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R ;;; managed by CAPsMAN
      ;;; SSID: workshop, local forwarding
      name="wlan87" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

 2  R ;;; managed by CAPsMAN
      ;;; SSID: royal, local forwarding
      name="wlan88" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

 3  R ;;; managed by CAPsMAN
      ;;; SSID: guest, local forwarding
      name="wlan89" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    wlan1                  br.12.staff             0x80         10       none
 1    vlan102.managment      br.102.managment        0x80         10       none
 2    vlan12.dsw3.ccr        br.12.staff             0x80         10       none
 3    vlan1.dsw1.ccr         br.1.royal              0x80         10       none
 4    vlan52.dsw3.ccr        br.52.guest             0x80         10       none
 5    vlan9.dsw3.ccr         br9.workshop            0x80         10       none
 6 I  *6D                    br9.workshop            0x80         10       none
 7 I  *6F                    br.52.guest             0x80         10       none
 8    ether21-slave-local    br9.workshop            0x80         10       none
 9 I  *6E                    br.1.royal              0x80         10       none

/interface wireless cap set bridge=[SomeBridge]

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    wlan1                  br12.staff              0x80         10       none
 1    vlan1.ap11.dsw3        br1.royal               0x80         10       none
 2    vlan102.ap11.dsw3      br102.managment         0x80         10       none
 3    vlan9.ap11.dsw3        br9.workshop            0x80         10       none
 4    vlan12.ap11.dsw3       br12.staff              0x80         10       none
 5  D wlan17                 br12.staff              0x80         10       none
 6  D wlan18                 br12.staff              0x80         10       none

In CAPsMAN:
add client-to-client-forwarding=no local-forwarding=yes name=\
    office_guest_local_vlan vlan-id=52 vlan-mode=use-service-tag
add client-to-client-forwarding=no local-forwarding=yes name=\
    office_royal_local_vlan vlan-id=1 vlan-mode=use-service-tag
add client-to-client-forwarding=no local-forwarding=yes name=\
    office_staff_local_vlan vlan-id=12 vlan-mode=use-service-tag
add client-to-client-forwarding=no local-forwarding=yes name=\
    office_workshop_local_vlan vlan-id=9 vlan-mode=use-service-tag

In AP:
/interface bridge port
add auto-isolate=yes bridge=br-vlans interface=ether1
/interface wireless cap
set bridge=br-vlans

 /caps-man datapath> print
 0 name="ps-privat" client-to-client-forwarding=no local-forwarding=yes 
   vlan-mode=use-tag vlan-id=25 

 1 name="ps-public" client-to-client-forwarding=no local-forwarding=yes 
   vlan-mode=use-tag vlan-id=66 

 /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  RS ether1-master-local                 ether            1500  1598       4074
 1  XS ether2-slave-local                  ether            1500  1598       4074
 2  XS ether3-slave-local                  ether            1500  1598       4074
 3  XS ether4-slave-local                  ether            1500  1598       4074
 4     ether5-mgmt                         ether            1500  1598       4074
 5  RS ;;; managed by CAPsMAN
       ;;; channel: 2442/20-Ce/gn(20dBm), SSID: ps-privat, local forwarding
       wlan1                               wlan             1500  1600
 6 DRS ;;; managed by CAPsMAN
       ;;; SSID: ps-public, local forwarding
       wlan2                               wlan             1500  1600
 7  R  bridge-vlan-trunk                   bridge           1500  1598
 8  R  vlan25                              vlan             1500  1594

/interface bridge> print
Flags: X - disabled, R - running 
 0  R name="bridge-vlan-trunk" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled 
      mac-address=D4:CA:6D:07:4C:EC protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether1-master-local      bridge-vlan-trunk        0x80         10       none
 1  D wlan1                    bridge-vlan-trunk        0x80         10       none
 2  D wlan2                    bridge-vlan-trunk        0x80         10       none

/interface vlan add name=XXXX vlan-id=1234 interface=bridge