This might sounds like a silly idea… but in any case, I’m interested how it would be possible, if possible…
Objective: assign hAP ax3 as router, using the internet connection “bridged” through RB4011..
and on the same ethernet connection, trunk back LANs from hAP to RB4011.
Is it possible to bridge the port on the RB4011, while at the asme time, receive back VLANs from the hAP ax3?
No, this setup is not possible with devices which are running wifiwave2 driver for wireless (AX devices and some AC devices). The reason is that wifiwave2 doesn’t (yet) support 4-address mode and thus can’t be used as transparent bridge between “islands” of devices which belong to same L2 network.
You could try to work around using EOIP between hAP ax3 and RB4011 though …
how does wifiwave2 affect things if the hAP is the one responsible for routing?
I can see where the misunderstanding comes from.
Please clarify: how is the connection between RB4011 and hAP AX3 made ?
Wireless, then that’s the reason why it can not be like you want. Wireless on AX3 (=wifiwave2) does not allow bridged station mode.
Wired, then it might be possible.
How I see it (and surely someone more knowledgeable will step in if I’m wrong)
Just set up the required VLANs both on RB4011 and AX3. You should set up a dedicated VLAN for the connection ISP through RB4011 to AX3.
Port1 on RB4011 as access port, feeding into separate VLAN which then goes via trunk to AX3.
No router services on RB4011 and everything will be handled by AX3.
Q from my side:
why this setup ?
RB4011 is a quite capable router (and might even be better at it then AX3, depending on what you use it for).
@holvoetn is right, I (wrongly?) assumed that we’re talking about wireless connection between RB4011 and hAP ax3.
And I’m wondering the same as @holvoetn: why would you want to shift routing to hAP ax3 since RB4011 is more capable router? Specially so as hAP ax3 would have to divide CPU resources between routing and driving wireless interface (the later is quite a CPU hog when under high utilization).
At first sight ( on mobile) I also assumed it was wireless.
Then I saw the details of the picture and figured it might be wired after all 
OK, scenario would make lots of sense if @OP was using a switch (e.g. CRS1xx) in place of RB4011.
Assuming VLANs 50 and 89 are used for various LAN subnets, another VLAN is necessary on the RB4011-hAPax3 interconnect. Let’s say it’ll be VLAN 666. Both RB4011 and hAP ax3 will have the SFP+ port set up as tagged only link.
hAP ax3 will have single bridge, all interfaces will be made member ports. Bridge interface will be set as tagged member of all VLANs: 50, 89 and 666. It will also have vlan interfaces created (anchored off bridge) for all 3 VLANs. Then vlan666 interface has to be used as WAN interface (assuming default firewall, it has to be made member of WAN interface list) with whatever L3 setup appropriate (static IP address, DHCP client, PPPoE client, …).
RB4011 will have single brdige and all ports will be made bridge ports. Bridge interface should be set as tagged member of all VLANs in the game. There’s a bug which exists in all ROS v7 versions up to now that breaks VLANs between different port groups if bridge is not tagged member of “global” VLAN. By “global” VLAN I mean a VLAN which spans multiple port groups. And port groups are: group1 is ether1-ether5 (run by switch chip 1), group2 is ether6-ether10 (run by switch chip 2) and group3 is SFP+ (run by CPU directly).
Then: port1 (ether1?) should be set as untagged (access) port of VLAN 666 (pvid=666).
RB4011 only needs to have vlan interface which will be used for management of RB4011. Other VLANs will only pass on L2 (ethernet) between bridge ports and vlan interface is not needed (rather: it should not be used as to add another layer of device protection).
Mkx stop torturing yourself simply link → https://forum.mikrotik.com/viewtopic.php?t=182276
Well … it’s easier for me to come up with description of what has to be done in a particular case than to google a general version of it 
True but Holvoe was getting on my case of defaulting to specifics instead of forcing the OP to read first LOL
I can be selective
Oh I get it… its one of those exclusive club things… You guys call it Schengen Area I think or is it Munchausen? ;-0
As long as you got power, you’ll be fine.
Serious, things ok there ?
thanks guys… I think I’ve been trying to overcomplicate things instead of keeping it a bit more KISS…
my original thought for doing this was to minimise VLAN routing latency (ie. avoiding CPU as much as possible) to the computers connected directly to hAP… but I now realise traffic has to go through CPU twice anyway… unless i swapped out the RB4011 with a CRS3* with hw VLAN’ing.
I also figured the hAP is slightly better CPU.. but admittedly didn’t take into account for the 5Ghz wifi radio that’s enabled.
after all said and done, I’ll setup the RB4011 as the router, trunk’ed to the hAP…
also have an order pending with S+RJ10 for RB4011, see how much I can squeeze out of the hAP ax3’s 2.5GbE port.
none the less, it’s been a good lesson on VLAN’ing, cheers.
2.5 port on ax3 works fine.
I have it as trunk with RB5009.
Using internal iperf3 testing I can get 2.3-ish Gb over that link.