Posting the setup I ended up using in case anyone wants a similar setup.
Hardware configuration:
- RB260GSP switch powering all devices over PoE on eth2 and eth3 because eth1 doesn't have PoE out.
- wAP R LTE eth1 connected to RB260GSP eth2.
- hAP AC2 eth1 connected to RB260GSP eth3.
And the following RouterOS configuration after a clean reset of both devices:
wAP R LTE configuration:
- Quick set as a CAP which disables the local NAT and firewall.
- Add new VLAN_LTE (ID 100) interface to send the LTE WAN to hAP directly for processing and forwarding. Configure VLAN_LTE as the destination for the LTE passthrough.
/interface vlan
add interface=bridgeLocal name=vlan_lte vlan-id=100
/interface lte apn
set [ find default=yes ] passthrough-interface=vlan_lte
hAP AC2 configuration:
- Quick set as a "Home Mesh" which makes it a CAPs manager.
- Enable CAP for the local access-points to be configured through the CAPsMAN running on the same device. Set 127.0.0.1 as the caps-man-addresses to make the CAPs traffic pass through the firewall and not be blocked by the default firewall rules. Enable CAPs discovery on the bridge interface and lock access-points to CAPsMAN for configuration:
/interface wireless cap
set bridge=bridge caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan2,wlan1 lock-to-caps-man=yes
- Add new VLAN_LTE (ID 100) interface. Add it to the WAN interface list.
/interface vlan
add interface=bridge name=vlan_lte vlan-id=100
/interface list member
add interface=vlan_lte list=WAN
- Add eth1 to the default Bridge interface since wAP is attached to this port and is providing both internet over VLAN 100 and serving as a local access point.
/interface bridge port
add bridge=bridge interface=ether1
- Enable the DHCP client on the vlan_lte interface since that is where the internet comes in now:
/ip dhcp-client
add disabled=no interface=vlan_lte
This setup makes all traffic from the wireless devices connected to the wAP access point pass through to hAP and then back to the LTE interface on wAP but that's a valid compromise considering the simplified management on hAP.
I'm wondering if it is easier to use the VLAN between wAP and hAP for the access-point traffic instead of the LTE connection?