we have a customer with 8 coffee shops on a WAN.

customer wants to run wi-fi hotspot at each location but wants to make sure public can not access his network.

customer SM on vlan 10 MVID 5

we add an additional vlan 15 to each of the SM

we put a Mikrotik (3 port)at customer premises.

port 1 is trunk port connecting to SM
port 2 is internal customer network is VLAN 10
port 3 is wi-fi vlan 15
Mikrotik Management Interface on Vlan 5

customers can surf fine
I can access the the Mikrotik on Vlan 5
customer can not access other cusomter sites, other customer sites can not access this site

so I change the ingress vlan to 4096 and make add the vlan 10 into the SM and do the same for another site, and persto… alll works…

for some reason if a tagged packed comes to the SM and it is tagged with the ingress vlan ID the SM rejects it… I would have thought it would let it through…

does the above make sense ?