It is hard to determine exact configuration, set by CAPsMAN, but it seems like CAPsMAN configures things in a hybrid way (a mix of dumb and vlan-aware bridge config):
- wireless interface is configured with properties vlan-mode=use-tag vlan-id=<VID>, so essentially wireless interface works as tagged interface
- bridge port is configured with properties pvid=<VID> frame-types=admit-all ingress-filtering=no, so the port acts as access port
The later is clearly displayed by
/interface bridge port print, the former is based on my own observations (and may be completely wrong).
Then the exact behaviour boils down to two possibilities, determined by setting of
vlan-filtering property on bridge:
- when vlan-filtering=yes, bridge tags with pvid untagged frames on ingress but accepts already tagged frames as well. Bridge untags frames on egress.
It seems that wireless interface untags tagged frames on ingress but accepts untagged as well.
Which all means that frames passing from bridge to wireless interface are tagless while frames passing from wireless interface to bridge are tagged
- when vlan-filtering=no, bridge doesn't do anything about VLAN tags, while wireless interface does tagging and untagging.
In this case frames passing between bridge and wireless interface in both directions are tagged. If bridge is carrying other vlans or untagged, then those frames may leak into wireless interface. Wireless interface then discards frames with wrong vlan tags but accepts untagged frames which can then leak via air interface.
(N.b. if wireless interface is configured with
vlan-mode=no-tag this actually means that wireless driver doesn't treat VLAN tags at all and tagged frames get transmitted over the air ... which allows to build trunk PtP connections via wireless).
And yes, bridge port entries as well as wireless interfaces are dynamic which means you can't change their properties.