After reading http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1 by @sindy and doing some tests and sniffing, I came to conclusion that my thinking was correct about how a bridge deals with tagged packets - they are all going through the bridge as long as they got there from the switch below. Which makes sense as I don’t have VLAN filtering enabled.
So I tested the easiest solution - just added EoIP interface to the existing bridge. As I expected, packets from all VLANs (the ones that made it to the bridge/router from the switch chip) were transmitted to the remote router. Sniffing even showed the VLAN IDs belonging to the other side. EoIP tunnel was serving as a trunk.
When I changed one VLAN ID to match on both routers, I immediately got IP and mDNS connectivity over EoIP. Packets from other VLANs with mismatching IDs were properly dropped by the switch chip since I have secure VLAN mode. So at this point things were working as desired.
However, I didn’t want to clutter VPN link with unwanted packets that would be dropped at the destination anyway. So my next step was trying to use bridge filter rules in order to block some VLAN IDs from going out of EoIP interface. Unfortunately, I got stuck there. I tried several variations but never got a match by the rule.
/interface/bridge/filter/
chain=forward action=drop out-interface=eoip-tunnel1 mac-protocol=vlan vlan-id=20
chain=forward action=drop out-interface=eoip-tunnel1 mac-protocol=vlan vlan-id=20 vlan-encap=vlan
I must be missing something here. If I can get the blocking done, this solution would be perfect for my scenario. This way I don’t have to deal with complicated configuration with multiple bridges bridging interfaces that already sit on top of another bridge.