Hello, quick question if I want to use the RB931-2nD as a CAP I assume all I need to do is bridge the LAN ports with the WLAN for all the traffic to travel through to the main router whether the device has wifi clients or a physical pc attached to the lan?

The scenario, I want to have one main router (probably HEX S) with the firewall and all that and then deploy these cheaper hAP mini's throughout the house and have them all get their configs from the HEX S so I do not need to setup a bunch of hAP Minis.

Can I set the channel per hAP from the CAPsMAN router? I want hAP 1 to be channel 1, hAP 2 to be channel 6, hAP 3 to be channel 11 and then hAP 4 to be channel 1 and hAP5 to be channel 6 again.

Do you still need to configure a firewall on each haP mini when you use CAPsMAN?

You have two possibilities to choose from:

1. all traffic over wireless interface is tunneled to caps manager through some kind of tunnel. Bonus is that if you configure multiple SSIDs (e.g. one for LAN devices, other for guest devices) you don't have to worry about secure config on 3d party LAN devices, everything needed to be done is done on caps manager. Drawback is that it severely limits data throughput.
2. all traffic over wireless interface exits cap devices locally. Bonus is higher performance, drawback is potentially more complicated setup on 3rd party LAN devices (and caps and capsman devices).

Other than that, you can configure almost everything through capsman as you could directly on devices (including channel selection etc.). Not everything though.

Thank you for the reply @mkx

This is for a home so the layout will look like this (just one SSID) I hope my text art is understandable.
TP-LINK VDSL -> RB951 (PPPOE + CAPsMAN) (RB)
-------------------RB--------> Unmanaged Gigabit Switch (S)
-------------------S--------------------------> DHCP Server + Pi-Hole
-------------------S--------------------------> hAP Minis (CAPs) (H)
-------------------H--------------------------------------> PCs
-------------------S--------------------------> Uniview NVR
-------------------S--------------------------> Uniview POE Switch (P)
-------------------P---------------------------------------> Uniview IP Cameras

How would I go about this?

Go with option #2 (wireless data mixes with the rest locally at APs and unmanaged switch, doesn't hit the main RB). When configuring capsman datapath, use local-forwarding=yes ...

BTW, capsman setup is only about wireless. Wired still has to be done on each cap device and doesn't go through capsman device (unless you try really hard).

Alright so that means I still need to configure each hap mini individually (to enable bridge on the LAN ports with the WLAN (CAP))

If I have the firewall on the RB931, do I still need to configure a firewall on each hAP mini?

If so, does this firewall need to be equally as hardened or can I simply add a password and be done with it?

Do you have a firewall I can use on the RB931, not going to pretend I have a clue how to configure it in MikroTik or how to adopt what I see online for my use case. My use case is the RB931 will PPPOE out to the VDSL router and the raspberry pi is the DHCP and DNS server (IP of my network will be a gateway(mikrotik) 192.168.99.1. Raspberry Pi (DHCP DNS server 192.168.99.3) the DHCP range will be 192.168.99.50 to 192.168.99.250 and then the NVR will be 192.168.99.10 and the cameras will be 192.168.99.11 to 192.168.99.25 and then the only PC on the network will be 192.168.99.2 and then hAP Minis will be 192.168.99.31 to 192.168.99.35

In other words:
RB931 = 192.168.99.1
Main PC = 192.168.99.2
Raspberry Pi 3+ (DHCP DNS) = 192.168.99.3
NVR = 192.168.99.10
Cameras = 192.168.99.11 to 192.168.99.25
hAP Minis = 192.168.99.31 to 192.168.99.35

Question:
#1 What is firewall will work on the RB931 (basic home usage)
#2 Do I need seperate firewalls one the hAP minis

#1: default firewall is pretty good at protecting your network from WAN. The only change/addition usualky needed is some port forwarding if you wat to expose some particular service to internet (e.g. if you wanted to run web server or something)
#2: usually one sets firewall at the perimeter of defended zone. If you consider hAP mini clients as trustworthy as wired clients, then there's no need for firewall on hAP minis. If you don't trust hAP mini clients, then this means the whole LAN topology should be different.

#1: default firewall is pretty good at protecting your network from WAN. The only change/addition usualky needed is some port forwarding if you wat to expose some particular service to internet (e.g. if you wanted to run web server or something)

Great stuff - Then I will put all my effort into the RB931 - default firewall (quick set tab - enable firewall I assume?) and then I will delete the admin account, create a new user and set a password and then disable everything (www/api/http/etc) and keep winbox allowed, but set it to be only accessible from the local LAN. That should protect me from WAN side, I believe?

#2: usually one sets firewall at the perimeter of defended zone. If you consider hAP mini clients as trustworthy as wired clients, then there's no need for firewall on hAP minis. If you don't trust hAP mini clients, then this means the whole LAN topology should be different.

Perfect, because I trust the wired and wireless devices (this is being deployed at family so normal house folks, no funny business, maybe the odd house guest or so, but also not malicious people.)

.... default firewall (quick set tab - enable firewall I assume?)

I'm not familiar with quick set ... It's been ages since I was in that shady place, so I forgot about it in the mean time ... plus I didn't know what I was doing at that time
AFAIK, firewall is set and enabled by default on SOHO RB models and ether1 is configured as WAN port after initial config is applied to device.

A piece of advice: use quick set for initial setup. After that, when you'll have to switch to "proper" view to set something up (e.g. port forwarding), don't ever go back to quick set (that mode is not compatible with anything you might change in "proper" view).

Noted