I need to route all egress traffic of a client via iptunnel (or eoip) to another site. The client does not connect via fixed port so I decided to configure it to tag it's packets (see below for example). This means the packets reach the MT interfaces & bridge already tagged, unlike the examples I see. In my case the trunk and the access ports seem to be in reverse and I'm stuck.

How do I need to set-up my bridge in order to be sure that egress traffic from this tagged client goes only via the tunnel? I don't care if it's isolated in it's local LAN, I care for the egress only. I don't need vlan support on the other side of the tunnel.

The linux client tags the packets like this https://access.redhat.com/documentation ... mmand_line

Your use case doesn't make sense to me. But anyway ... if your client is tagging packets, then port it's using has to be either trunk (tagged for all VLANs) or hybrid (tagged for some VLANs and untagged for single VLAN). You said client can connect to different ports and assuming same ports can be used by other clients which don't tag their frames, you'll have to set-up multiple ports as hybrid - tagged with VLAN ID used by particular client and untagged (for other clients).

From gateway's point of view the client is not "roaming" the ports, it's always on the LAN port. But the rest of the traffic is on that port too.

So you're saying that you have one LAN port configured on MT router and that LAN port connects to dumb ethernet switch? Or even if it's managed and configured to pass tagged frames along with untagged towards router.
So that makes LAN port a hybrid port ... tagged with VLAN ID what linux server uses and untagged for the rest. Have a look at de-facto Mikrotik VLAN bible.

Thank you for your help. I ended up using VLAN interface. It acts as reverse access point and fits best for my needs. Hybrid port would've been second option as you suggest.
I did not explain well originally what I have. My LAN is connected to a wireless switch and the clients may be wired or wireless. I want to handle my "special" clients regardless on which port they are connected to that switch.

Luckily I also have MT gateway. Using it, all I had to do is create VLAN interface with parent the eth port connecting the LAN switch and all my traffic was split between the eth port (untagged) and the VLAN eth port (tagged). I connected the VLAN eth port to separate bridge (no vlan config needed!) and then built my rules using that bridge as reference. It doesn't get simpler than that.