Assuming you have the switch configured correctly as a trunk port passing data and management.
Assuming your not passing any other vlans (perhaps the vlan100 is also put on wifi by your capac??)
Lets assume your vlan100 has an IP of 192.168.10.1/24 and the IP of the capac manually set and static lease on vlan100 on the main router is 192.168.10.84
..................................
/interface bridge
add ingress-filtering=no name=capacONE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ]
/interface vlan
add interface=capacONE name=trustedvlan vlan-ids=100
/interface list
add name=management
/interface list member
add interface=trustedvlan list=management
/interface wireless
{will assume you are running both wlan1 2ghz, and wlan2 5ghz on your capac }
/interface bridge port
add bridge=capacONE interface=ether1 frame-types=admit-only-tagged ingress filtering=yes
add bridge=capacONE interface=ether2 frame-types=admit-priority-and-untagged ingress-filtering=yes pvid=80
add bridge=capacONE interface=wlan1 frame-types=admit-priority-and-untagged ingress-filtering=yes pvid=100
add bridge=capacONE interface=wlan2 frame-types=admit-priority-and-untagged ingress-filtering=yes pvid=100
/interface bridge vlan
add bridge=capacONE tagged=capacONE,ether1 untagged=wlan1,wlan2 vlan-ids=100
add bridge=capacONE tagged=capacONE,ether1 untagged=ether2 vlan-ids=80
/ip neighbor discovery-settings
set discover-interface-list=management
/ip address
add address=192.168.10.84/24 interface=trustedvlan network=192.168.10.0 comment="IP of capac on trusted subnet"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=as required
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
.........................
Note: If you dont have wlans on the capac simply remove the two entries in /interface bridge ports that refers to them and remove the untagging for both on the first line of /interface bridge vlans.
The basic concept is to trunk in from the switch both vlans (100 and 80) and bring vlan100 to the bridge and vlan80 to the camera. Since the camera is a dumb device we use access port functionality which untags the traffic leaving ether 2 heading for the camera and then applies vlan80 tags to the traffic entering ether2 from the camera. If you do have wlans, they are essentially going to be communicating over wifi to dumb devices, so the capac will also strip any tags on the data outbound to devices and then tag the returning data.
I spent some time with it today with a friend we got it working with CapsMan, it took some tinkering hence i thougt i was close before to get to work we gave it a shoot and it payed off.
I think the solution was to use PVID on ether2, vlans is not in my comfort zone but now it works, i need to secure it a bit more the basic setup looks like this tho.
"[admin@Name-of-your-AP] > export
# aug/31/2022 20:58:52 by RouterOS 7.4.1
# software id = 123456789
#
# model = RBcAPGi-5acD2nD
# serial number = 123456789
/interface bridge
add admin-mac=18:00:00:00:00:00 auto-mac=no comment=defconf name=BR1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(18dBm), SSID: Your-wifi-name, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: Your-wifi-name, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface list
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2 pvid=80
/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=ether2 vlan-ids=80
/interface list member
add interface=ether2 list=VLAN
add interface=ether1 list=VLAN
/interface wireless cap
#
set bridge=BR1 discovery-interfaces=BR1 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=BR1
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=Name-of-your-AP