Using second ethernet port on CAP AX with VLANs possible?

Is it possible to use the secondary ethernet port as an access port on a cap ax under capsman management with dynamic vlans? I’ve tried setting this up and every time I enable vlan-filtering on the bridge, the wireless clients no longer have the ability to successfully make DHCP requests/etc.

/interface bridge
add admin-mac=48:A9:8A:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: yyyy, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: yyyy, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridge interface=ether2 pvid=100
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=192.168.10.1 enabled=yes

I’m trying to use ether2 as an access port, with pvid of 100. This port works perfectly well when vlan-filtering is enabled on the bridge, but all wireless clients lose the ability to send/receive traffic from the router. As soon as I disable vlan-filtering on the bridge, all the wireless clients work normally, but the device connected to ether2 on the cap is now operating as vlan 10 (config below will show why with untagged traffic). The switch this cap connects to has the port (ether20) configured like this (removed non-related lines from output):

/interface/bridge/port:
add bridge=bridge comment="AP3" ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10 pvid=10

/interface/bridge/vlan:
add bridge=bridge comment="Trusted VLAN" tagged=ether3,ether4,ether5,ether24,sfp-sfpplus1,bridge,ether23,ether20 untagged=ether6,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus3 vlan-ids=100
add bridge=bridge comment="Management VLAN" tagged=bridge,sfp-sfpplus1,ether22 untagged=ether1,ether8,ether24,ether2,ether3,ether4,ether5 vlan-ids=10

vlan id 10 is management, 100 is for client access. I’m sure I’m doing a lot wrong, and welcome any/all feedback. Thank you.

You have to provision the wireless interfaces as static enabled, then you can add them to the bridge as required.

Is it not possible to do dynamic provisioning + vlan-filtering on the bridge? I would have expected Mikrotik to handle this scenario with the bridge association dynamically, as well.

Theoretically yes and with old capsman you could but AFAIK I have not yet seen it being done with wave2.

Personal view:
what’s the underlying problem setting them static ?
Capsman installations are rarely very dynamic.
So set your interfaces static, configure your vlans and be happy about it.

The documentation isn’t very clear around static vs. dynamic, is the channel/other configuration stored associated with the interface and never updated if the capsman configuration is changed? In example, if I modify to use create-enabled instead of create-dynamic enabled, and then later want to change the channel configuration, will the interfaces be updated accordingly, or do I have to manually go modify them all? Will it automatically handle the bridge vlan configuration in that mode, for the wireless interfaces based on the capsman configuration, as well? Will these be updated on the caps as I change the capsman configuration?

If the only difference is it’s provisioning the interface persistently but the configuration around wireless can be updated/applied at any time, then that would potentially work. Thank you for your input!

As far as I know (and tested):
There are 2 separate things (but somewhere they come together):

1- wireless config: can be applied at will as was the case with legacy capsman. Change settings, reprovision and done.

2- vlan stuff IF you require the local bridge to be VLAN aware (which will be the case if you want to use that ether2 port as trunk):
only to be applied on static interfaces. Doesn’t dynamically carry over from capsman. It will use the VLAN datapath settings as pushed by capsman but the underlying vlan stuff needs to be done locally on AP.

If you set the AP in simple caps mode (bridge not VLAN aware), then things will work coming from capsman.

Again, that’s how it works for now as far as I know.
IMHO this is a SW limitation because I am sure it should be possible to handle those VLANs in a dynamic way like it used to be possible before.

To be clear, I want ether2 to be an access port, not trunk, I just want clients connecting to it to be on a specific vlan. Right now, that is not working, with vlan filtering turned off on the bridge, even with a pvid specified for that port on the bridge.