Hi Stuart,
Just to clarify a point:
"but I didn't think this would matter as the HREAP config would mean that none of this traffic should even leave the access point"
Keep in mind that when an ap is hreap mode, the ap essentially acts like a switch with respect to its ethernet port. When it gets a packet from the wireless side, if appropriate, it tags it and puts it on the wire.
Under ordinary circumstances (unless something is configured to stop this), if a wireless client connected to an hreap ap sends a multicast packet, it absoutely will be put on the wire by the ap, just as a broadcast would. I just confirmed this with lab equipment.
So if there isn't a routed path from the remote untrusted networks to your mgmt vlan, there may (should) be L3 multicast routing configured for the untrusted and your management routed interfaces. Is this the case?
thanks
Jeff