CAPsMAN - set management interfaces

Hello.

I want to limit interfaces on which CAPsMAN communicates. Is this configurable via CAPsMAN or should I set filters ?
The problem now is that CAPsMAN can connect devices via WAN.
I don’t wan’t that of course. How to limit management interfaces ?
On the side - i’m wondering if wifi passwords can be leaked that way ? As far as I saw security config is not accessible via winbox on managed device. However the KEY is sent - can it be sniffed in CAPsMAN packets ?

Ok so maybe someone can answer me on what means of communication does CAPsMAN have, because I could not find that exact information ?
In services there is 5246,5247/udp. What about L2 communication ?