Thank you for pointing me to direction to find solution. I had time today to play and test.
However I didn't get "station bridge" working. I got permanent log for 4-way handshake timeout (15)
and no connection at all.
And I started to search what can be the cause of this problem. As far as I understand there was problem using WPA2 dynamic keys or whatever.
But I want to use WPA2-AES only on my AP.
Anyway my searching ended with different solution config using WDS.
updated settings on RB951G-2HnD router (only the changes I add to my working config)
set [ find default-name=wlan1 ] distance=indoors mode=ap-bridge wds-default-bridge=bridge-local wds-mode=static-mesh
/interface wireless wds
add disabled=no master-interface=wlan1 name=wds wds-address=AA:BB:CC:DD:EE:FF
AA:BB:CC:DD:EE:FF => WLAN MAC address from hAP
was recommended on forum instead of just wds-mode=stati
settings on RB941-2nD-TC (hAP)
Basically remove all the default config (DHCP server, NAT, firewall, DNS) keeping just wireless, bridge and DHCP client on bridge-local
And modify this settings:
set [ find default-name=wlan1 ] distance=indoors frequency=auto mode=station-wds
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys wpa2-pre-shared-key="hereAPpassword"
/system ntp client
And it is working very well, at least so far
Everything connected to hAP LAN ports act same way as directly connected to the router.
I hope this settings makes sense and is somehow correct and secure