With regard to VLAN ID 2:
- don’t add VLAN interface (anchored on the bridge) back to bridge, that would create a nasty loop (and is detected as error in most recent ROS versions)
- add pvid to ether3 if you want to make that port untagged member of VLAN 2
- the show stopper: add mainBridge interface to list of tagged ports:
/interface/bridge/vlan
set [ find vlan-id=2 ] tagged=mainBridge
This interface needs to be tagged member of VLAN 2 as you are creating vlan interface VLAN_Interface anchored to mainBridge interface
Yes, it does sound confusing, but bridge has multiple personalities. You can find out more by going through this great tutorial.
A note: MAC access for management of device (great as backup access using winbox - MAC connectivity) is only allowed via interfaces, members of LAN interface list. The same interface list is used quite extensively in firewall config. However, interface list membership has to be maintained manually. So you may want to add the VLAN_Interface interface to that interface list. After you get your VLAN setup up to speed (and you verify it does work as intended), you will probably want to remove mainBridge interface from that list.