Bang no further,
There are no firewall rules needed.
Assuming you have some vlans for the WIFI (home, guest, iot devices - so at least three).
One will be the trusted vlan (typically the home vlan).
Give the CAPAC an IP address on this vlan
One bridge
identify vlans with interface bridge
assign bridge ports
ether1 trunk port to switch or router whatever
vlan10 to bridge (pvid=) {home}
vlan20 to bridge (pvid=) {guest}
any virtual wlans to bridge (pvid=) {iot devices}
Ensure there is on interface list entry called manage.
add interface=vlan10 list=manage
ip neighbours discovery list=manage
tools winmacserver list=manage
ip routes
dst-address=0.0.0.0/0 gwy=192.168.20.1
Setup bridge ports and bridge vlan accordingly
Activate bridge vlan filtering.
Details are in this excellent document see example post # 4, after reading and understanding the main pages.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
++++++++++++++++++++++++++++++++++++++++++++++
To add in my own twist.
USE ether 2 as a wired backup (or use virtual wlan as a wireless back up, both OFF Bridge where you can configure the router and less apt to lock yourself out).
As always though make good use of SAFE MODE!!
https://forum.mikrotik.com/viewtopic.php?t=181718