Is there a management vlan or is vlan10 a trusted vlan?
viewtopic.php?t=182276
Assuming vlan10 is your trusted/management vlan ( the clue is the IP address of the managed switch and the AP should be on this vlan )
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridge name=trustedVLAN vlan-id=10
/interface list
add name=management
/interface wireless
as required
/interface bridge port
add bridge=bridge frame-types=admit-only-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WLAN1-Trusted pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WLAN2-Guest pvid=20
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=WLAN1-Trusted vlan-ids=10
add bridge=bridge tagged=ether1 untagged=WLAN2-Guest vlan-ids=20
/interface list member
add interface=WLAN1-Trusted list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.55/24 interface=trustedVLAN network=192.168.10.0 comment="IP of capac on trusted subnet" ( whatever address is assigned to the CAPAC )
add address=192.168.5.1/24 interface=emergaccess network=192.168.5.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=which IPs should be able to access capac via winbox, admin IPs on 192.168.10.0/24 and pick an IP from emergaccess like 192.168.5.5
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
For more information on off bridge.........
viewtopic.php?t=181718