Hello Ammar
First of all, the virtual WLC has some limitations compared to a physical WLC, and one of those limitations is the supported feature set. With a vWLC, you can only configure access points in FlexConnect mode, as you mentioned. This means that other modes such as sniffer, monitor, or rogue detector are not available.
Secondly, you are correct in stating that when using FlexConnect mode in a virtual WLC, the data traffic is not tunneled back to the WLC through CAPWAP. Instead, the traffic is switched locally at the access point (AP), which is a key feature of FlexConnect mode. This can be advantageous in reducing latency and conserving bandwidth.
Since you’ve routed the traffic to a firewall, it should be configured to handle the different VLANs and apply the necessary security policies to each. This setup enables local switching at the AP level and ensures proper traffic segregation based on VLANs, with security policies applied at the firewall.
I hope this has been helpful!
Laz