I have a complicated setup, but the over simplification is this:
I have 2 different subnets on 2 different places that are a mile appart. I have a stable wireguard connection (linking the main routers) between them and routing works. I can use this link and open winbox 3.x to any device on either subnet from either subnet.
I bought a pair of XL LHG 5 AC because I thought it would be fun to play with a wireless bridge. After setting it up and messing up a couple times (forgot the “-bridge” in the “station” side) I used vlans (for the very first time) and set the wireless link as a trunk and I have bridge1 (ether1) as the local subnet ip and a vlan as the remote subnet ip. Main routers had the wireguard routes set to distance 2 and a new distance 1 route was added having the local subnet antenna ip as the gateway. this part works, I can see all devices on both sides, broadcasts are blocked as expected, I can see both the antennas in their local ips as neighboors, every device can interact with any other device on the remote subnet, etc.
However, this broke something in winbox. Now I can’t connect to devices on the other subnet via winbox. This works if the route used is the wireguard one, but the winbox client just complains that the device does not support the security mode and that I should enable legacy mode if I really want to connect.
Funnily enough Winbox4 does work, connecting directly to http in the router also works, everything else seems to work. The only thing not working is Winbox3.
Any ideas of what I may be doing wrong? I must have overlooked something or skipped a step. 
I think I see what I did wrong
While I added 2 antennas to two different networks (192.168.1.0/24 and 192.168.2.0/24) and I linked them in such a way that one antenna has 192.168.x.21 and the other has 192.168.x.22, visible from both sides with their proper ip and all.
When I tell the router that the route to the remote subnet should go to the local ip (e.g. 192.168.1.x is accessible via 192.168.2.21 and 192.168.2.x is accessible via 192.168.1.22) the problem seems to be that I am intentionally and stupidly breaking the state for the connections.
Yet Winbox4 bypasses all this and it just connects!
Time to think how to solve this, I may have to route it, i certainly do not want to src/nat it.
I really do not know why I was expecting the router (any router, not mikrotik specifically) to be smarter.
I thought, if I have a device that has 2 adapter with 2 different subnets and it can reach both without issues then, if I set it as the next hop from the default gateway it should be able to find the devices on the other side. And because this packet would have the origin ip when it is sent back, it would hit the default gateway in the other end and if it also knows how to forward those to this side it will just work.
However, I could not hold this theory to its light. Sometimes it did go thru, but most of the times it did not come back. Winbox3 could see the device but couldn’t see the responses, winbox4 could see the responses somehow. I ended up putting a vlan port in the default gateway with the remote subnet and src-natting them. I hate this because now the remote devices see every single connection as being made by the remote device instead of the subnet device. but I do not think I understand enough of this next-hop / gateway /routing interaction yet. Or maybe one of the routers have really complicated firewall rules that are messing it up. Oh well, will try again at some other point in time 