Finally have this figured out, but this may or may not be a happy solution.
If one follows the guide to for a simple CAPsMan setup,
https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup
one would have, at the end, forbid CAP manager from listening to the "all" interface
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
This appears to be the crux of the problem for me.
So, in conclusion:
- Setup the LAN accept rule as stated above
, and put it before the "drop all not coming from LAN" rule
add action=accept chain=input comment="CAPsMAN accept all local traffic" src-address-type=local
- Don't disable the CAPsMAN manager interface.
- No need to add the bridge rule
Given the setup, however, I am not entirely sure what would happen if there's a CAP connected to eth1 (my WAN port). Given mine is a private property setup with only internet upstream, it's probably not any concern of mine if an upstream CAP gets connected to mine, but still, not necessarily the best especially setting this up in a multi-tier environment. But then again, if you are setting all that tiers up, you can probably afford to not use the local wireless.