Simple example from my home router:
/interface bridge
add name=internal
add name=public
/interface vlan
add interface=internal name=vlan82-guest vlan-id=82
add interface=internal name=vlan240-public vlan-id=240
/interface bridge port
add bridge=public interface=wlan1-public
add bridge=public interface=vlan240-public
add bridge=internal interface=ether1
add bridge=internal interface=wlan2-home
Bridge
internal contains
ether1 going to switch and
wlan2-home wi-fi. On top of that is
vlan82-guest for guest network (it's your case #2). Wireless interface has vlan-mode=use-tag, vlan-id=82, so all unknown devices go into guest vlan. Trusted devices have entries under
/interface wireless access-list with vlan-mode=no-tag, which makes them part of private internal LAN. Doing it like this allows to have only one common ssid, instead of virtual AP with different one. There's another AP in internal network with same config and
ether1 and
wlan1 bridged together, but without any defined vlans, so it just passess tagged guest network transparently (that's what I described in previous post). Then there's
vlan240-public for internal server, to be directly part of public network, which is bridged together with WAN interface
wlan1-public using bridge
public (it's half your case #1, as it's vlan with physical interface).