Sindy,
thank you for the detail information. Running through you explanation I think I do understand most of it, and indeed, if I disabled vlan filtering on the single brigde setup but leave the virtual wifi interface to tag on VLAN ID 2, it works as expected. So this single bridge configuration on cAP is working.
I also achieve dual bridge with each VLAN interface association to the right bridge.
The big question mark from reading your email was this statement you made:
As you want tagless and tagged frames to exist on ethernet interfaces, you cannot have one bridge for the tagged ones and another bridge for the tagless ones, as once the ethernet interface becomes a member port of a bridge, all frames get to the bridge. You can attach the tagged ends of as many /interface vlan as you want to a single /interface ethernet, but only if the ethernet interface is not a member port of a bridge. And there is no way to get only the tagless packets from the ethernet interface to a bridge.
So the way I read and understand that is: once you have assigned a ethernet interface to the bridge, this interface can be only be part of this bridge whatever it contains tag and/or untagged traffic. So if you want to differentiate between tag and untag on an interface and assign them on separate bridge this is where /interface vlan comes handy.
So to accomplish what I initially wanted, I went back to the virtual guest interface and remove the tag information. I also set VLAN ID to 2, but turns out that it didn't make a difference, and kept my single bridge in filtering mode as is and is also working! As soon as I connect wlan-guest-5Ghz appears in my VLAN 2 untagged.
/interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge_AEPONYX 2 ether1 wlan-guest-5GHz
1 D bridge_AEPONYX 1 bridge_AEPONYX
ether1
ether2
As stated previously, I got back to my virtual guest interface and assign a value of 1 to the VLAN ID, still works, so I believe this information would be only important when tag is selected.
So the last test I did tried was to put back the virtual interface to tag on 2 and assigned them to the bridge, but in the tagged list. And again it worked!
/interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge_AEPONYX 2 ether1
wlan-guest-5GHz
1 D bridge_AEPONYX 1 bridge_AEPONYX
ether1
ether2
So thank you for your help, I'll now investigate CAPSMAN.
Rock.