We had an initial (non-VLAN) configuration, but I believe I successfully adopted the config in a way that it could coexists with the new VLANs / wireless networks - although it doesn’t.
The current reality is that wireless networks can be discovered, clients can attach to them, but no traffic is getting through.
DHCP server definitely doesn’t answer, but even if I assign a static IP on the client, the gateway cannot be seen.
I can ping the VLAN interfaces on the router from a client connected over untagged LAN.
You are missing the Bridge-VLAN and the Bridge-Port PVID
Step 0: Untagged-Traffic
In your current Configuration, Untagged-Traffic will be assigned a default VLAN-ID of 1
This can be changed in the Bridge-Configuration or your can assign a Tag for each Port
individually via “/interface bridge port”
Exemple :
/interface bridge port
add bridge=bridge interface=ether14_ap_out pvid=10
Step 1: Assign Bridge vlan
You also need to add VLAN-Filtering rules
Basic-Exemple :
Tipp / Trick :
If you decide to segregate your Network with VLAN’s,
I recommend you also have a Network / VLAN dedicated for a Administration-Network.
It’s usually considered “Best-Practice” and add another Layer of security* to your Network.
You can then use this “Administration-Network” to Manage the CAP’s / Wireless network via Capsman.
Depending on the extent or size of your Network, you may even want to create an own Network/VLAN for Capmans!
Answer: If you want to access differnet VLAN via the Wireless, you will indeed have to configure the Switch-Port for all VLAN’s (aka.Hybrid)
I’m fine with interfaces handling untagged traffic as before, so assigning VLAN 1 for untagged traffic is ok so far. Hence I suppose this below is not relevant for now.
/interface bridge port
add bridge=bridge interface=ether14_ap_out pvid=10
For /interface bridge vlan there is no configuration now, I have a dynamic entry:
Grrrrr, it is a client issue too… I’m connected remotely (over ZeroTier) to a Linux workstation, that has both wired and wireless interface. So basically when i configure something (connected over untagged ether port), I can check in an other terminal if wireless is working. And it was not… and I was super confused after a while, because the old wlan (untagged, to be deprecated) didn’t work too. At that moment I got a bit scared, that would have meant, that nobody had wifi anymore, so looked at DHCP leases.. and I saw that a mobile was just offered with an IP… so it seemed to be ok. Then I reloaded the wireless cards kernel module on the workstation and tada the machine got an IP on the brand new office network! (media works too)
Nevetheless hotspot still fails, I guess there is something here with the security – on the other hand this is something that needs to be looked that in connection with the /ip hotspot extension, since I would like to have there a captivity portal.
What I don’t like at the moment that I can ‘cross’ ping the gateway of the various VLANs, eg. from office to media – I’ll need to look at how to put here some restrictions.
Yes definitely, Safe-Mode was/is my best friend in this whole activity It’s really flaky to configure the router 1200km away, over a ZeroTier link to a workstation.
the machine got an IP on the brand new 
It’s really flaky to configure the router 1200km away, over a ZeroTier link to a workstation.