Alright, here's my example setup:
* The example will use ether2-ether5 on a RouterBoard 493G
* ether5 will be the trunk port, connected to a VLAN-aware switch
* ether2 and ether3 will be access ports for VLAN10, ether4 will be the single access port for VLAN12
* The RouterBoard has one WLAN card, named wlan1 by default in the wireless interface list
* There will be two VLANs, VLAN10 for guest access and VLAN12 for employee access
* There will be two VAPs/ESSIDs, example-guests (egresses on VLAN10) and example-employees (egresses on VLAN12)
* The RouterBoard is running RouterOS v6.1 and is assumed to be in factory reset condition
I will show CLI commands because it's easier (and less typing) than trying to explain what to click and enter in the GUI. Check the GUI settings before and after you run the commands to see what changes.
# First we create VLAN interfaces on ether5 for VLAN10 and VLAN12. Each VLAN interface will accept and transmit tagged frames.
[admin@MikroTik] > /interface vlan
[admin@MikroTik] /interface vlan> add interface=ether5 vlan-id=10 name=vlan10-guests
[admin@MikroTik] /interface vlan> add interface=ether5 vlan-id=12 name=vlan12-employees
# This step creates security profiles for the wireless interfaces, which is neccessary to use WPA/WPA2. You can skip it and use the default profile if you don't need encryption.
[admin@MikroTik] /interface wireless security-profiles
[admin@MikroTik] /interface wireless security-profiles> add name=profile-guests authentication-types=wpa2-psk wpa2-pre-shared-key=guestpass mode=dynamic-keys
[admin@MikroTik] /interface wireless security-profiles> add name=profile-employees authentication-types=wpa2-psk wpa2-pre-shared-key=employeepass mode=dynamic-keys
# After setting up the security profiles (or skipping that step) we configure and enable the VAPs. Note that I'm just renaming and using the actual wireless card (wlan1) instead of adding two VAPs. I'm using 802.11 on the 2.4GHz band, but you can of course use whatever your WLAN card and clients support.
[admin@MikroTik] /interface wireless
[admin@MikroTik] /interface wireless> set wlan1 band=2ghz-b/g/n
[admin@MikroTik] /interface wireless> set wlan1 name=vap-employees mode=ap-bridge ssid=example-employees frequency=2437 wireless-protocol=802.11 security-profile=profile-employees
[admin@MikroTik] /interface wireless> add name=vap-guests master-interface=vap-employees ssid=example-guests mode=ap-bridge security-profile=profile-guests
[admin@MikroTik] /interface wireless> enable vap-guests,vap-employees
# Finally we bridge the VLAN interfaces, trunk ports and VAPs.
[admin@MikroTik] /interface bridge port
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan10 interface=ether2
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan10 interface=ether3
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan10 interface=vap-guests
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan10 interface=vlan10-guests
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan12 interface=ether4
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan12 interface=vap-employees
[admin@MikroTik] /interface bridge port> add bridge=bridge-vlan12 interface=vlan12-employees
If it doesn't work I might have typoed something, just let me know and I'll double-check the commands.