I have configured L2PT/Ipsec using L2PT interface. Everything works as expected.
After that, I removed an interface from the bridge, added a new subent, DHCP server, NAT and mangle rules and tagged those packets properly. It will be used for Synology.
Because I have hap ac2 my idea is to use one of two wifi interface and have a separated subnet, then route traffic over vpn for TV and few other devices.
I have removed the wlan2 interface from a bridge and mostly repeated all steps I did for an ethernet interface.
The current interface is in AP Bridge mode and I'm not sure is this correct? Clients can connect and they
get proper IP, gateway, etc. but they can't go to the internet.
I'm not sure is that the best scenario to achieve what I want, if someone has a better idea that would be awesome.
I can't put this eth interface and wlan into bridge because I can't run DCHP server on a slave interface.