We have a RFS6000 in HQ with a bunch on AP650 directly connected controller, all of it works fine. We intended to install some APs in branch offices. The branch offices are connected via a WAN link and the IP routing is all in place and working

.
I have installed one of the AP in the Branch Office followed the instructions, it appears to be working. Although it does get adopted and comes into the right RF domain, I would like to understand how it works in more detail
1/ The AP boots up and acquires IP from the local DHCP server along with the option to point it to the controller IP address
2/ The controller adopts it.
3/ Does VLAN 30 server any purpose?
4/ Do I need a DHCP server running for the RemoteAP in the Server?
The native VLAN ID of the remote office is 2001.
I have attached a cut down version of the config so that you can see how I have set it up.
!
wlan CORPWifi
description Corporate Users
ssid CORPWifi
vlan 28
bridging-mode tunnel
encryption-type tkip
authentication-type eap
no broadcast-ssid
wpa-wpa2 psk 0 internet
use aaa-policy HFVM-NAP
!
wlan GUESTWifi
description Guest User
ssid GUESTWifi
vlan 29
bridging-mode tunnel
encryption-type none
authentication-type none
wireless-client hold-time 28800
wireless-client inactivity-timeout 3600
wpa-wpa2 psk 0 Jup1ter123456
use aaa-policy HF\ AAA\ Internal\ Policy
use captive-portal HFCaptivePortal
captive-portal-enforcement
!
dhcp-server-policy HF-WC-DHCP-Server
dhcp-pool Guest-Wifi
network 10.0.19.0/24
address range 10.0.19.20 10.0.19.120
lease 0 8
default-router 10.0.19.1
dns-server 10.0.40.43 10.20.40.114
dhcp-pool RemoteAP
network 10.0.21.0/24
address range 10.0.21.10 10.0.21.20
default-router 10.0.21.1
dhcp-pool Corp-Wifi
network 10.0.18.0/24
address range 10.0.18.20 10.0.18.120
default-router 10.0.18.254
dns-server 10.0.40.43 10.20.40.114
!
profile ap4600 HF-AP4600
ip name-server 10.0.40.36
ip name-server 10.0.40.11
ip name-server 10.0.40.35
ip default-gateway 10.0.18.254
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
interface radio1
interface radio2
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface pppoe1
use firewall-policy default
use captive-portal server HFCaptivePortal
ntp server 10.0.40.43
service pm sys-restart
!
profile ap4600 default-ap4600
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
interface radio1
interface radio2
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
logging on
service pm sys-restart
!
!
rf-domain HF\ HQ
location HQ\ Office
contact IT\ Helpdesk
timezone Europe/London
country-code gb
use wips-policy HF\ WIPS\ Policy
!
rf-domain HF\ Office1
location HF\ Office1
contact IT\ Help\ Desk\
timezone Europe/London
country-code gb
!
rf-domain default
location HQ\ Office
contact IT\ Helpdesk
country-code gb
!
wm3600 00-04-96-59-2A-2C
use profile default-wm3600
use rf-domain HF\ HQ
hostname wm3600-Controller
license AP 8c10f72fcf513569d79e4dd2260e23e2ca2e401118eb49c3fd062caf9c761d19c7247b4c2f448fff
trustpoint https Thawte_SSL_CA
ip name-server 10.0.40.43
ip name-server 10.20.40.114
ip domain-name HF.ADS
floor 4
ip default-gateway 10.0.18.254
use radius-server-policy HFSerPol
interface me1
ip address 10.0.24.6/24
interface up1
description Uplink\ Backbone\ Port\ for\ all\ WLAN's
switchport mode trunk
switchport trunk native vlan 28
switchport trunk native tagged
switchport trunk allowed vlan 1,28-30,2001
interface ge8
no description
switchport mode access
switchport access vlan 1
interface vlan28
description CorpWifi
ip address 10.0.18.1/24
ip nat inside
interface vlan29
description GuestWifi
ip address 10.0.19.1/24
use ip-access-list in Guest-LAN-to-Controller
ip nat inside
interface vlan30
description Remote\ AP
ip address 10.0.21.1/24
use event-system-policy Test
use dhcp-server-policy HF-WC-DHCP-Server
use captive-portal server HFCP
use captive-portal server HFCaptivePortal
ntp server 10.0.40.35
email-notification host mailrelay.HF.org.uk sender wifi@HF.org.uk port 25
email-notification recipient xx@HF.org.uk
logging on
logging console warnings
logging buffered warnings
logging syslog informational
logging host 192.168.27.1
!
ap4600 00-04-96-77-57-68
use profile HF-AP4600
use rf-domain HF\ Office1
hostname AP-CG
area CG
floor CF
ip default-gateway 10.0.21.1
autoinstall configuration
interface radio1
wlan GUESTWifi bss 1 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 30
no switchport trunk native tagged
switchport trunk allowed vlan 1,28-30
interface vlan30
description L3\ Data\ Link\
ip address dhcp
ip dhcp client request options all
!
end
Thanks in Advance