Hello Everyone, I will try to be as brief as I can without missing important details. I don't have a config export as I have only tried once to set this up and fouled up a few things in the process.
Scenario: RB1100AH = primary office router; ether1 = LAN; ether2 = Backup Internet; ether3 = Primary ethernet
ether1 = dchp for LAN 192.168.100.0/24 (including wireless access points; currently Cisco WAP-200 devices; wireless clients receive IP from this pool)
ether1 -> GB Switch1 Port1; GB Switch1 Port2 -> GB Switch2 Port2; GB Switch1 Port47 -> FS752T Switch3 Port52(gb port)
ether2 -> direct to Backup Internet modem/router
ether3 -> direct to Primary ISP modem/router
ether5 = slave to ether1; connects to GB Switch4 Port1 on Ground floor of office not in main server/network room

Desired Result = RB1100AH in CAPsMAN role managing 3 or possibly 4 wAP ac Dual Band APs (RBwAPG-5HacT2HnD); Office WiFi (using same LAN as wired) and Guest WiFi (different subnet from LAN) available from wAP devices (both bands available; 2 SSID's broadcasting)

Initially I had CAPsMAN working with 1 wAP device connected to GB Switch4 broadcasting 1 SSID (wifi on office network 192.168.100.0/24) following a tutorial video from MUM.
I tried to start from Scratch to see if I could setup 2 SSID's from the 1 wAP device but messed up the Bridge and Bridge port setup along with dhcp. DHCP stopped working for clients, then VoIP base stations were failing to register and there were a whole lot of RED lines on my Firewall Filters. I had to disable the bridge and ports and that got my network back to normal but now I don't even have the working CAPsMAN from the beginning.

I recognize I might have to restart from nothing with the full RB1100AH config but I'd rather avoid that if possible. So I guess my question is:
How do I setup the Bridge interface (linked to what port?) How do I keep DHCP working for LAN clients on ether1 and Office WiFi clients while providing DHCP for Gst WiFi clients? Using CAPsMAN to manage the AP's. I would like to get one device working correctly so that the remaining devices can just be plugged in.

I was hoping to get to MUM and get some Wireless Training while it was here in Milan but was unable to make the arrangements work.

Any help and advice would be greatly appreciated. I thought about trying this using the old backup RB532a as the CAPsMAN but cant work out how to connect it to the LAN without fouling everything up. Plus I dont think I can get it to match the OS on the wAP (RB532a is running 6.33; wAP is 6.35.2)

Well, I think Im getting closer. I've changed switch cabling so that now the GB Switch4 connection goes into GB Switch1 Port 48. This means the RB1100AH is now only using the following ports:
ether1 (LAN) ether2 (BkUp Internet) ether3 (WAN/Primary ISP)

I've set the bridge on interface ether1 and CAPsMAN sees the wAP and provisions the wAP. I can see the broadcasting SSIDs from the wAP. The problem I have now is, when I enable ether1 as the Port on the bridge, my Firewall (ip firewall) shows a bunch of filters going red with the following message:
in/out interface match not possible when interface ether1 is slave, use master instead (CAPsMAN)

I understand this to mean that I will have to edit the filter entries on my Firewall to change the IN interface entry from ether1 to CAPsMAN. OR I just edit the entries to not specify an IN interface?

Once again, thanks for any and all input, ideas, opinions.

Well, I think Im getting closer. I've changed switch cabling so that now the GB Switch4 connection goes into GB Switch1 Port 48. This means the RB1100AH is now only using the following ports:
ether1 (LAN) ether2 (BkUp Internet) ether3 (WAN/Primary ISP)

I've set the bridge on interface ether1 and CAPsMAN sees the wAP and provisions the wAP. I can see the broadcasting SSIDs from the wAP. The problem I have now is, when I enable ether1 as the Port on the bridge, my Firewall (ip firewall) shows a bunch of filters going red with the following message:
in/out interface match not possible when interface ether1 is slave, use master instead (CAPsMAN)

I understand this to mean that I will have to edit the filter entries on my Firewall to change the IN interface entry from ether1 to CAPsMAN. OR I just edit the entries to not specify an IN interface?

Once again, thanks for any and all input, ideas, opinions.

Because ether1 is now part of a bridge, you need to change your interface to the bridge in your firewall rules.

Also LAN side IP address should be assigned to bridge and DHCP server should give addresses to bridge not to ether1.

Also LAN side IP address should be assigned to bridge and DHCP server should give addresses to bridge not to ether1.

Hi Thanks for this and sorry for what may seem an odd question.
If ether one is already assigned GW address for the LAN subnet, can any LAN address be assigned to the Bridge interface?
ether1 = 192.168.100.1 (GW for subnet) with route to ISP
can the bridge "CAPsMAN" be assigned 192.168.100.2 and will still work?

No, remove this address from ether1 and assign to bridge. Bridge is the master interface for included interfaces (ether1). In configuration You should use master interfaces, not slaves.

One suggestion - don't use 'capsman' as name for bridge, it can bring some confusion later. Actually this bridge serves as interface for entire LAN not only for CAPsMAN.

No, remove this address from ether1 and assign to bridge. Bridge is the master interface for included interfaces (ether1). In configuration You should use master interfaces, not slaves.

OK.
Bridge becomes the Master for all included interfaces. So it will be GW for LAN ntwrk. Does this mean if I want to use diff ntwrk for Gst Wifi I can assign a dhcp server for gst wifi to ether1?

One suggestion - don't use 'capsman' as name for bridge, it can bring some confusion later. Actually this bridge serves as interface for entire LAN not only for CAPsMAN.

Sounds reasonable. Of course I have to come up with a name that makes sense, but that can come later.
As for Firewall Filters. I was looking yesterday and am I correct in believing if I do not specify an IN Interface for a rule (leave it blank) this is a "default" and it would then look at the LAN port (bridge) as the default "IN Interface"?

Well, I have a single wAPac device connected to a switch on my LAN (pulling a dhcp IP from the LAN network) with 2 radios (2.4 and 5.0Ghz). The wAP is managed by CAPsMAN. The CAP is broadcasting 2 SSID's and I am able to connect to both SSID's with a wireless device. At this time, both SSID's are connecting clients to the LAN subnet.

Now comes my tricky part. I would like one of the SSID's to connect clients to a different subnet with Internet access so I can keep guests off the LAN subnet.

I believe I have to use Virtual AP interfaces and setup another Bridge interface, but it is difficult to pull the correct info. I find details for setting up an AP device directly with Gst wifi, but this is usually a singe radio device and is not managed by CAPsMAN.

Can I get some further guidance? Thanks

Thank You everyone for input. It looks like Ive got everything settled.

I've got clients connecting on both the LAN WiFi and the Gst WiFi receiving the appropriate IP addresses.

I need to watch for a bit but then I'll see about getting 3 more wAP devices to install and then I can work on signal strength for roaming.