OTOH if admin wants/needs something less straight-forward on CAP location, then admin will have to manually configure bridge anyway. In this case it's probably safe to enable vlan-filtering on bridge ... and it would be interesting to see if wifi interface is added to bridge (by CAPsMAN) together with correct tagged VLAN membership.
Enabling VLAN filtering on CAPs bridge results in this:
[admin@MikroTik] > interface bridge pr d
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled
arp-timeout=auto mac-address=78:9A:18:0C:1B:DB protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=78:9A:18:0C:1B:DB
ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-all ingress-filtering=yes dhcp-snooping=no
port-cost-mode=long mvrp=no max-learned-entries=auto
[admin@MikroTik] > interface bridge port pr
Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY HORIZON
;;; defconf
0 H ether1 bridgeLocal yes 1 0x80 none
;;; defconf
1 H ether2 bridgeLocal yes 1 0x80 none
;;; defconf
2 I H ether3 bridgeLocal yes 1 0x80 none
;;; defconf
3 I H ether4 bridgeLocal yes 1 0x80 none
4 D wifi1 bridgeLocal 1 0x80 none
And this is when I force my device to connect to CAP (by disabling local wireless interfaces on CAPsMAN) and after tagging bridgelocal and ether1 for VLANs i have:
[admin@MikroTik] > interface bridge vlan pr d
Flags: X - disabled, D - dynamic
0 D ;;; added by pvid
bridge=bridgeLocal vlan-ids=1 tagged=wifi1
untagged=bridgeLocal,ether2,ether1 mvrp-forbidden="" current-tagged=wifi1
current-untagged=bridgeLocal,ether2,ether1
1 bridge=bridgeLocal vlan-ids=20,30,40 tagged=bridgeLocal,ether1 untagged=""
mvrp-forbidden="" current-tagged=bridgeLocal,ether1 current-untagged=""
2 D ;;; added by wifi
bridge=bridgeLocal vlan-ids=30 tagged=wifi1 untagged="" mvrp-forbidden=""
current-tagged=wifi1 current-untagged=""
Tested with all VLANs, works like a charm.
One thing I noticed. When I forget network (so I can connect with another password) first time entering password it displays an error on the phone to enter password again. When I enter password second time it connects immediately.
So it seems we'll need some more experimenting (somehow I feel you're eager to do it yourself
)
Of course, my goal is always to learn more, otherwise I would use some other brand that is plug and play but where is the fun in that...