i've got four hAP ac2 and one RB4011 (non-wireless model), which i'm using to provide both wired and wireless Internet access in a site that has no Ethernet cabling installed. the RB4011 is connected to a VDSL2 modem to provide Internet access. i've set up the hAPs in a single WDS/HWMP+ mesh using the 2.4GHz radios, then configured one as the mesh portal and connected it to an Ethernet port on the RB4011. all four APs also have a separate client-access SSID configured on the 5GHz radio, and i've added the 5GHz ports and the wired Ethernet ports to the mesh. the RB4011 is running a DHCP server, DNS and is the default gateway.
so far, everything is working fine: some clients connect via wireless, some plug directly into the AP's Ethernet ports, and they all appear in the mesh FDB, get DHCP leases, and have Internet access via the RB4011.
what i can't work out is how to carry .1q tagged traffic over the mesh. what i'd like to achieve is that some Ethernet ports on the hAPs will be in a separate VLAN, and there will be one or more virtual SSIDs which are in separate VLANs. all the VLAN traffic should be delivered to the RB4011 as .1q-tagged traffic over the wired connection. with a non-mesh CAPsMAN setup, this is very straightforward to configure, but i can't find a configuration example to do this with the mesh - for example, i can't add a bridge VLAN interface on the mesh (which makes sense, since it's not a bridge). does anyone have an example of how to do this?