Wireless bridge Issues with AP <>Station Bridge mode VLANs - Netbox 5 ax

Hoping somebody here can help.

I have the following config:

VLANS 70,77, 700,701, and 777.
VLAN 70 is my LAN/management traffic that I'm hoping to establish a wireless connection to from one Netbox 5 ax (AP mode) to another in station bridge mode.

I've configured wireless config settings for the ssid that is setup to use datapath on VLAN 70, Bridge has all VLANs in one lan_bridge and traffic connects properly when wired into eth1 plugged in to my switch on a trunk port (eth1 is trunk port on the netbox, which only has one ethernet port). I can make the wireless connection, which seems to be working because then I start getting RSTP errors and winbox drops my connection. So, I unplug the wired connection.... and then cannot connect over the wifi port to the second netbox 5. If I plug the netbox into the already configured powerbox trunk port and then wire myself into the same vlan there, I can once again see the netbox. I also see registration on both ends showing up, but again cannot pass traffic wirelessly across the two devices. I feel like there's something funky going on with the tagged/trunk ports, but can't quite figure out where I've gone wrong.

They are all setup with static IPs. Main is 10.2.70.231, and EH1 is 10.2.70.232. Connecting via wifi on my computer to the AP (main) allows me to connect on the interlink SSID and I can ping all devices on that side of the wireless bridge and pass traffic from my computer wirelessly to those, however there is no access to the station bridge side.

Connecting via ethernet to the powerbox that has a trunk port connected to the station bridge netbox gives me access to the powerbox and netbox on that side, but I can't get across to the other side.

Configs are below. The main AP is configured via capsman but I tried to take it off and manually configure with no change. The station bridge is manually configured with wifi.

MAIN NETBOX:

/interface bridge
add frame-types=admit-only-vlan-tagged name=lan_bridge vlan-filtering=yes
/interface wifi
# managed by CAPsMAN 04:F4:1C:AD:EE:F0%vlan70-LAN, traffic processing on CAP
# mode: AP, SSID: KPX-TrustedInterlink, channel: 5745/ax
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface vlan
add interface=lan_bridge name=vlan70-LAN vlan-id=70
/interface bridge port
add bridge=lan_bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=lan_bridge frame-types=admit-only-vlan-tagged interface=wifi1 \
    pvid=70
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=lan_bridge tagged=lan_bridge,ether1,wifi1 vlan-ids=\
    1,70,77,99,700-701,777
/interface ovpn-server server
add mac-address=FE:FA:EB:17:34:FC name=ovpn-server1
/interface wifi cap
set certificate=request discovery-interfaces=vlan70-LAN enabled=yes
/ip address
add address=10.2.70.231/24 interface=vlan70-LAN network=10.2.70.0
/ip dns
set servers=1.1.1.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.2.70.1 routing-table=main
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/system clock
set time-zone-autodetect=no time-zone-name=US/Pacific
/system identity
set name=NetBox5ax-Main

EH1 (station bridge)

/interface bridge
add frame-types=admit-only-vlan-tagged name=lan_bridge vlan-filtering=yes
/interface vlan
add interface=lan_bridge name=Guest_Wireless vlan-id=701
add interface=lan_bridge name=LVP-TrustedWiFi vlan-id=700
add interface=lan_bridge name=LVP_Cams vlan-id=77
add interface=lan_bridge name=LVP_LAN vlan-id=70
add interface=lan_bridge name=Plant_Controller vlan-id=777
/interface list
add include=all name=LAN
add name=MGMT
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 \
    width=20mhz
add band=5ghz-ax disabled=no frequency=5745,5765,5785,5805,5825 name=\
    5GHZ::UNII-3 width=20mhz
add band=5ghz-ax disabled=no frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=\
    20mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::AUTO width=\
    20mhz
/interface wifi datapath
add disabled=no name=datapath-Trusted vlan-id=700
add disabled=no name=datapath-guest vlan-id=701
add disabled=no name=datapath-Interlink vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Trusted-Security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Guest-Security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=\
    Interlink-Security
/interface wifi configuration
add channel=2GHZ::AUTO country="United States" datapath=datapath-Trusted \
    datapath.vlan-id=700 disabled=no mode=ap name=cfg-2Ghz security=\
    Trusted-Security ssid=KPX-TrustedWiFi-2Ghz
add channel=5GHZ::NON-DFS country="United States" datapath=datapath-Trusted \
    datapath.vlan-id=700 disabled=no installation=outdoor mode=ap name=\
    cfg-5Ghz security=Trusted-Security ssid=KPX-TrustedWiFi-5Ghz
add country="United States" datapath=datapath-guest datapath.vlan-id=701 \
    disabled=no installation=outdoor mode=ap name=cfg-GUEST security=\
    Guest-Security ssid=KPX-GuestWiFi
add channel=5GHZ::NON-DFS channel.frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805,5825 country="United States" \
    datapath=datapath-Interlink disabled=no installation=outdoor mode=\
    station-bridge name=cfg-Interlink security=Interlink-Security \
    security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    KPX-TrustedInterlink
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg-Interlink \
    configuration.mode=station-bridge disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface bridge port
add bridge=lan_bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=lan_bridge frame-types=admit-only-vlan-tagged interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=lan_bridge tagged=ether1,lan_bridge,wifi1 vlan-ids=\
    1,70,77,99,700-701,777
/ip address
add address=10.2.70.232 interface=LVP_LAN network=10.2.70.232
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/system identity
set name=Netbox-EH1

Cannot say if related when VLANs are involved, but for "plain" connections the bridge on the station-bridge (or station-pseudobridge) device sometimes need to turn rstp off, (protocol-mode=none).
Anyway it costs nothing to try and disable rstp.

I just gave it a shot and took off rstp on the station bridge. No change though

I was able to get the link working by removing the VLAN-tag from the datapath settings in the configuration. By forcing it onto the bridge instead of the vlan this appeared to let the traffic pass through trunked rather than stripping and applying the vlan70.

The next issue is that there will be a large number of station bridge devices being deployed. I would like to use capsman to push everything, however with the wireless station bridge connection capsman appears to keep flipping this to AP if I power cycle the downstream netbox that is connecting wirelessly to the location where the capsman controller is. I have configured lock to capsman and slaves static, since I am going to be also configuring some client facing SSIDs at all the locations to use some of the other VLANs. I can get capsman to connect, pull the config over the wire, and then disconnect and plug in and keep my wireless bridge up, however if I power cycle teh remote-side deviice, it cannot reconnect again until I plug back in my cable.

configuring the interlink/backhaul connection manually does work on reboot, however I then can’t use capsman to generate slave/virtual wifi interfaces for the client-facing SSIDs only.

I have confirmed that the configuration in capsman for the remote side netbox devices is set with mode=station-bridge, which is the same setting that is working perfectly when statically/manually configured without caps.

You can't use capsman to provision station(-*) WiFi interfaces if stations use wifi link towards capsman. Because there's the chicken&egg problem: you need to start wifi interface in station mode to get the link after which it can connect to capsman which provisions the same wifi interface. And it doesn't matter if capsman settings allow setting mode=station-bridge. It could be that capsman actually ignores this setting ... settings under /interface/wifi are shared between capsman and manually provisioned local interfaces and I guess that there are settings which don't make sense for one of provisioning modes but it's still possible to set them.

OTOH, on station you don't have to bother with radio-specific settings (frequency, channel width) because those will have to follow AP anyway. The only effect of setting them is that station might not be able to connect to AP if AP is using frequency not configured on station.

This is the conclusion I was avoiding but kinda knew to be true. However I got stuck trying to figure out, is there some way to have manually configure wifi1 station bridges, and capsman controlled virtual interfaces without the master being a physical interface. It seems capsman still wants a master configuration for a physical interface so I can't use capsman to control settings on the 2 virtual interfaces I would like to have created under it, or can this be done? I'm trying to be able to make changes to the client facing radios now without touching that manually managed and made ap<> station bridges physical interface.

Thanks!

No, it doesn't seem to be possible to make capsman only provision slave interfaces on top of independently configured (and already running) master interface.

It is possible, however, only to provision one wifi interface (physical) using capsman while configuring the other manually (the one in station-bridge mode) if device has two radios (physical wifi interfaces) or more.