The AP is connected to a Mikrotik running a PPPoE server.
The SM is doing NAT & DHCP
The SM picks up its IP address OK
The SM has a separate management address on VLAN 4000
Now, the SM is NAT-ing, getting its IP OK, and routing to clients connected to it. The manegement interface is reachable from the wireless side but also from the LAN. I thought that enabling a management VLAN would disable this.
When in NAT mode the SM is accessible via the Ethernet port. I haven't tested it, but you may be able to create a firewall rule (Config-->Security) to block it. Alternatively you could move the web server to an obscure port.
Note, if you place the CPE in bridge mode you can disable Ethernet access.
I'm curious, why do you care if the customer can access the web interface?