Wow, thanks for the replies. I was thinking nothing had happened because I hadn't gotten any email alerts from the forum, so I was surprised to log in today and see!
Right, and thanks for the ASCII art to help clarify what the set-up should be. I think I was conceptually close. A couple of points:
-My device is the 750Gr3. CPU
shouldn't be a limiting factor, but I might as well take advantage of hardware acceleration if possible, so a mild preference for mkx's proposal.
-I don't mind making a fully trunked port for the WAP and having it tag both SSIDs (i.e. 10 for WAN-side public traffic and 20 for LAN-side NATted traffic). Didn't occur to me earlier but it's easy enough to do.
I'm struggling with how to implement it, though. Sort of grasping at straws here, I did:
/interface vlan add interface=bridge1 vlan-id=20 name=lan-if
/interface vlan add interface=ether1 vlan-id=10 name=wan-if
/interface bridge port set interface=ether1 pvid=10
/interface bridge port set interface=ether2-master pvid=20
/interface bridge port set interface=ether3 pvid=20
No go.
Just to try something in addition, I then also did:
/interface ethernet switch port edit ether1 default-vlan-id and set it to 10
/interface ethernet switch port edit ether2-master default-vlan-id and set it to 20
/interface ethernet switch port edit ether3-master default-vlan-id and set it to 20
After doing that, traffic tagged with VLAN 10 was not able to obtain an IP address from my ISP's DHCP server, so I presume I errored somewhere.
Also of note, my srcnat and firewall drop rules are currently applied to ether1, in case that needs to change. Also, I forgot (before undoing this configuration) to enable VLAN Filtering on bridge1 (which I had tried yesterday but to no avail), in case that matters. Also, do I need to strip VLAN headers on ether1 to avoid passing the VLAN 10 tag out to my ISP on that interface?
I'm probably
very lost here, I know.
FWIW, here's my config after implementing the above:
[admin@MikroTik] > /export hide-sensitive terse
# jul/28/2018 12:12:33 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge add admin-mac=xx:xx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet set [ find default-name=ether2 ] name=ether2-master
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.56.10-192.168.56.254
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=defconf
/port set 0 name=usb1
/interface ppp-client add data-channel=1 default-route-distance=2 disabled=no info-channel=1 name=ppp-out1 port=usb1
/ppp profile set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings set discover-interface-list=discover
/interface l2tp-server server set enabled=yes use-ipsec=yes
/interface list member add interface=bridge1 list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=bridge1 list=mactel
/interface list member add interface=bridge1 list=mac-winbox
/interface pptp-server server set enabled=yes
/interface sstp-server server set default-profile=default-encryption enabled=yes
/ip address add address=192.168.56.1/24 comment=defconf interface=bridge1 network=192.168.56.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network add address=192.168.56.0/24 comment=defconf dhcp-option=ntp-server,tftp-server-host,tftp-server-host-polycom,time-offset,unifi gateway=192.168.56.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,9.9.9.10
/ip dns static add address=192.168.56.1 name=router
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
/ip firewall filter add action=drop chain=input in-interface=ppp-out1
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ppp-out1
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ppp-out1
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=isp-ipv6 request=address,prefix
/system clock set time-zone-name=America/Chicago
/system ntp client set enabled=yes server-dns-names=time.nist.gov,pool.ntp.org
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=mactel
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox