I have a configuration for a VLAN-tagged virtual-AP on CAPsMAN. When added to CAP, an immutable entry is created at /interface bridge port for that interface. On the CAP neither UI nor CLI allows me to modify the frame-types and ingress-filtering options on that port. On the CAPsMAN such options do not exist, only vlan-id and tagging mode can be altered.
Do I read it correctly, that these options cannot be altered on a CAPsMAN managed wireless interface / bridge port?
It is hard to determine exact configuration, set by CAPsMAN, but it seems like CAPsMAN configures things in a hybrid way (a mix of dumb and vlan-aware bridge config):
wireless interface is configured with properties vlan-mode=use-tag vlan-id=, so essentially wireless interface works as tagged interface
bridge port is configured with properties pvid= frame-types=admit-all ingress-filtering=no, so the port acts as access port
The later is clearly displayed by /interface bridge port print, the former is based on my own observations (and may be completely wrong).
Then the exact behaviour boils down to two possibilities, determined by setting of vlan-filtering property on bridge:
when vlan-filtering=yes, bridge tags with pvid untagged frames on ingress but accepts already tagged frames as well. Bridge untags frames on egress.
It seems that wireless interface untags tagged frames on ingress but accepts untagged as well.
Which all means that frames passing from bridge to wireless interface are tagless while frames passing from wireless interface to bridge are tagged
when vlan-filtering=no, bridge doesn’t do anything about VLAN tags, while wireless interface does tagging and untagging.
In this case frames passing between bridge and wireless interface in both directions are tagged. If bridge is carrying other vlans or untagged, then those frames may leak into wireless interface. Wireless interface then discards frames with wrong vlan tags but accepts untagged frames which can then leak via air interface.
(N.b. if wireless interface is configured with vlan-mode=no-tag this actually means that wireless driver doesn’t treat VLAN tags at all and tagged frames get transmitted over the air … which allows to build trunk PtP connections via wireless).
And yes, bridge port entries as well as wireless interfaces are dynamic which means you can’t change their properties.
CAPsMAN did not configure VLAN tagging at /interface bridge for “physical” wlans (I don’t know if this the right term), only for virtual wlans it itself created.