I haven’t touched e5xx in several years, but have seen this behavior on newer models. I am assuming you are using cnMaestro for management -
Enterprise cnPilot devices have a default/hardcoded fallback IP of 192.168.0.1 (which does NOT show up in a device configuration export via cnMaestro) - even if NO ports are explicitly configured to have membership in VLAN1.
Because this fallback IP is hardcoded by default, the AP’s internal ebtables/iptables will install a locally connected route for 192.168.0.0 on the untagged/native ethernet uplink…
If your utilized networks fall within the 192.168.0.0 range, the routing table sometimes might accidently ‘leak’ some of the traffic untagged out the ethernet port - even if device is connected to a SSID associated with a different VLAN.
If you have LLDP enabled in your environment, your Mikrotik should be able to see the radio’s 192.168.0.1 fallback from its neighbor discovery on ether5.
cnMaestro gives no means of disabling the hardcoded fallback IP, and additionally hides the ability to remove VLAN1.
Overriding the HTML hide flag, removing VLAN1 from the configuration, and then rebooting the AP will do the trick - no more leakage.