@neg2led: Thanks, this is what I have been looking for, a working sequence of steps, not the "could do" / "option" / "maybe" / "try" one gets otherwise. Though not preferrable, I can live with using WinBox and I understand the advantages L2 access gives in my use case.
And the "please, please, please don't use QuickSet" should warn others for not wasting the many hours as I did.
So I used WinBox and was able to configure the bridge among wlan1 and ether1. I was also able to connect to the WLAN using WPS Client. But then stuck again, the mAP lite doesn't seem to remember/automatically reconnect to the WLAN.
Next attempt: WinBox and Quick Set (ignoring the above warning) and funny, WLAN now works and gets remembered! But the bridge still isn't fully working, the device on ether1 doesn't get a DHCP config, propably for one of the reasons mentioned by @bpwl, so stuck again! Some more refinement might get DHCP working, but then, what is next? So after almost 10 hours I am giving up. I got myself a Zyxel WAP3205, though quite big, it does what I expected: It is simple and it works.
Ah, right, okay - sorry, I thought you wanted to go the other way (use it as a wifi AP, not a wifi client). As for the failing to auto-connect after reboot, I suspect that's something to do with WDS - i've never found WDS to be very reliable, and it's also pretty horrifically insecure (especially with the PIN enabled). I just put the wifi PSK directly into the security profile and that works just fine.
I know you have a solution you're happy with now, but just in case it helps someone who comes across this thread in the future (or you'd like to give it another try):
For bridging a LAN device to a WLAN network, you run into a fundamental issue with 802.11, namely that you're only allowed to have one MAC address per client device. There are a couple of ways around this; the easiest one is "use a mikrotik access point", mikrotik have built some non-standard stuff into their implementation which gets around the problem - but in this case I imagine that's not an option. The remaining options are:
1. Set the wifi radio mode to 'station pseudobridge' on the mAP; this has a major limitation in that you can only reliably connect one device to the LAN side, but for IPv4 traffic you can connect more and it mostly works out fine. The simplest way to set it up is actually via the wifi repeater wizard in Winbox; open Winbox, go to the 'wireless' page, click on 'setup repeater', and follow the prompts. Once that's complete, you should have two wifi interfaces (one physical, one virtual) that are both bridged together; add the ethernet port to that bridge, and away you go.
2. Do not bridge the interfaces, and instead perform NAT on the mAP. For this, you'd put a DHCP client on the wlan interface, and a static IP + DHCP server on the ethernet interface, then configure a NAT rule to masquerade traffic going out wlan. This is basically the same configuration as the defaults, but with the ethernet and wlan interfaces' roles swapped and no firewalling.
The downside to this mode is you can't access the device/devices behind the mAP without setting up port forwarding, and it can get messy and unpleasant to manage.
3. Proxy-ARP. This can have its own host of problems, and I've never successfully set it up in a wifi context, but I believe it should work in theory?