Trying to build one scheme, and after a couple of days I start thinking I’m stupid. I will be grateful for the advice

Short description of the scheme (only the important part): ccr as an edge router, dozens of mikrotik wi-fi aps (hap ac 2, cap ac) and a bunch of devices connected to wi-fi aps with wire.
For now, everything works perfect in the following format – capsman on ccr, a dozen subnets, each in a separate vlan, two wi-fi networks, bridge vlan filtering on wi-fi aps for two ssids and for wired devices.
The task is to make wi-fi networks for all departments. Yeah, I can just make more virtual aps and job is done but I’m not attracted with 14 new ssids. So, I decided to test scheme “1 ssid + usermanager vlan assignment”

Test setup:
ccr1016 (7.13.5) as a router, capsman, usermanager
hap ac 2 (7.13.5) as a cap with “wireless” package (no dynamic vlans at all in qcom-ac)
needs: 1 ssid with dynamic vlans (v240/v241), 1 ssid for guest (v272), vlans on ether (v240/v241)

On CCR - legacy capsman + usermanager + bridge vlan filtering and vlan to port with ap
On AP - legacy package, cap, bridge vlan filtering and vlans.

First problem I got – usermanager with vlan assignment works only when bridge vlan filtering is disabled on cap. But in case with no bridge vlan filtering I’m losing vlans on ether and virtual ssid for guest without dynamic vlans. And if vlans on ether I solved with vlan on switch chip I just can’t find solution for guest ssid without bridge vlan filtering.

So, the main question is how to make usermanager with vlan on user work with bridge vlan filtering on cap? And if it’s not possible any other solution for 1 ssid and multiply vlans?

p.s. some parts of configs for better "picture"

CAPsMAN only provisions wireless interface ... and userman only sets VID for a particular user (much like static ACLs would). So I would expect that you have to configure uplink ethernet port as tagged member of a number of VLANs (all that might be used by userman), but likewise the wireless interface. Which is the problem since CAPsMAN can't do it entirely.

Some guesswork hence forth ... in provisioning rules, use action=create-enabled ... after a radio is provisioned, you can change settings, in particular you want to add (the created cap) interface as tagged member port to all necessary VLANs under bridge config (capsman may add it to single VLAN). And having action as indicated (versus create-dynamic-enabled) may allow for your custom config to survive reboots or other events (which otherwise affect cap configuration).
The above config has to be either done on CAPsMAN device (if capsman-forwarding is used) or on each CAP device (if local forwarding is used).

Yeah, manual adding wifi interface with all those vlans tagging - and it works with bridge vlan filtering. Thx.

p.s. Mb someone know is there "dynamic vlans in qcom-ac" in plans of smth like that? No so good to stay on legacy drivers.

Mb someone know is there "dynamic vlans in qcom-ac" in plans of smth like that?

Perhaps MT knows?