I had things set up with VLAN ID on the bridge port, and I had set frame type to `admit-only-untagged-and-priority-tagged` for security
However, then I tried to set the VLAN ID in Datapath, that stopped working and I had to revert to setting the VLAN ID on the bridge port and frame type to `admit all` for things to work again.
Does that make any sense? I thought it was the same config but in a different location. Why did I need to remove the `admit-only-untagged-and-priority-tagged` on the bridge port, while keeping the VLAN ID there?
There has been a discussion in the v7.12rc release announcement thread about a strange behavior with Wi-Fi interfaces that are added dynamically via CAPsMAN. The issue is that Wi-Fi interfaces added via CAPsMAN to a specific VLAN appear in the bridge configuration in the list of currently
tagged interfaces rather than untagged.
One posting in that thread mentioned a feature where the VLAN membership can be set on a per-client basis and not just a per-interface basis. I assume that this is configured via a user authentication mechanism such as RADUIS.
I am going to make a wild guess as to what is going on here. If Wi-Fi allows different clients using the same Wi-Fi interface to operate on different VLANs, then the software driver for that Wi-Fi interface is effectively performing a bridging/switching function and it is passing traffic for multiple VLANs to and from the actual bridge element. In effect, the interface between the Wi-Fi driver and the bridge is behaving like a "trunk" link rather than like an access port. To do this, it likely needs to utilize VLAN tags so that the multiple data streams (VLANs) can be handled by the bridge and the Wi-Fi driver, but not include the VLAN tags on the packets that are sent over the air.
If so, then when the Wi-Fi driver is operating in a configuration where there is some aspect of dynamic configuration of its VLAN ID or it supports multiple VLANS, its interface to the bridge would need to operate as a "trunk" with VLAN tags. That would explain why your bridge configuration needs to accept tagged packets and why the v7.12rc release thread is reporting that dynamically added Wi-Fi interfaces appear as tagged and not untagged.
Again, this is all an educated guess, but it seems to explain several unexpected behaviors. I would love to hear someone from MikroTik comment on this or explain the Wi-Fi VLAN behavior in more detail. I currently use the bridge.ports method to configure VLANs for Wi-Fi so that I can have private and guest SSIDs, but I am considering changing to use CAPsMAN and the wifiwave2.datapath method. If you are not using CAPsMAN or per-client VLAN membership, then it is probably better to keep all of the VLAN configuration under the bridge configuration.