As an intro, I have read (and tried) pretty much all I could find on setting up a cAP ac as a repeater/extender, including watching lots of videos. Ignoring all the dead ends and issues, the closest I could come to success is by resetting the cAP to have no initial configuration and using the Setup Repeater script to set up both wifi interfaces as extenders (a special SSID for testing clarity). Clients connecting to the extender get a functioning network on the LAN but no internet connection. The client gets a proper IP address and DNS server address but gets no response to DNS requests.

My network consists of a CCR1009 router, an hAP ac connected to it with a cable and configured by Capsman on the router. The cAP is connected via wifi to the hAP. I have a network DNS server on the router via IPv4 and IPv6. Using packet sniffer on all devices, I can see the IPv4 DNS traffic come from the client, through the cAP and hAP to the router. I can see the DNS responses from the router through the hAP but they never get to the cAP and hence never get to the client. The hAP sends them to the cAP but the cAP never receives them. The cAP has a very simple configuration; the wifi interfaces have connections to the hAP interfaces, and the cAP wifi interfaces have virtual APs under them. There are two bridges; one for one wifi interface/virtual AP apair nd the other for the other pair. I am stumped!

The router is running 6.46 beta 28, the hAP is running 6.46 beta 9 and the cAP is running 6.45.3.

I know that a wired cAP is better than an repeater/extender, and I have some of those. This cAP was destined for a friend who wanted a repeater but due to issues there, I brought it back and am trying to get it working in my environment.

Is useful if you post the configuration of each device using export hide-sensitive option to see better where is the problem.

Regards.

Let's start with the hAP and cAP configurations. If needed I can post the router configurations but the problem doesn't seem to be with the router. Any client connecting directly to the hAP works fine. It is the client connecting to the cAP, which is an extender of the hAP, that do not get any DNS responses so cannot access the internet. Those clients can communicate with other devices on the LAN though. As a reminder, the hAP was configured by CapsMan on the router. The cAP was reset to no configuration and then configured with the Setup Repeater command. The network topology looks like:
internet <-> router <->(wired) hAP <->(wireless) cAP<->(wireless) client

cAP config:
# jan/02/1970 01:01:13 by RouterOS 6.45.3
# software id = TKFE-IISR
#
# model = RBcAPGi-5acD2nD
# serial number = B9320A8FCB44
/interface bridge
add name=bridge1 protocol-mode=none
add name=bridge2 protocol-mode=none
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan1-KGLAN-repeater \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan2-KGLAN-repeater \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no mode=station-pseudobridge security-profile=\
wlan1-KGLAN-repeater ssid=KGLAN wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no mode=station-pseudobridge security-profile=\
wlan2-KGLAN-repeater ssid=KGLAN wireless-protocol=802.11
add disabled=no mac-address=76:4D:28:66:7E:03 master-interface=wlan1 name=\
wlan3 security-profile=wlan1-KGLAN-repeater ssid=KGLANX2
add disabled=no mac-address=76:4D:28:66:7E:04 master-interface=wlan2 name=\
wlan4 security-profile=wlan2-KGLAN-repeater ssid=KGLANX5
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan1
add bridge=bridge2 interface=wlan4
add bridge=bridge2 interface=wlan2
/ip settings
set accept-redirects=yes accept-source-route=yes
/tool sniffer
set filter-port=dns memory-limit=5000KiB

hAP config:
# aug/11/2019 08:43:55 by RouterOS 6.46beta9
# software id = YKQF-RKBK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 830908497EC3
/interface bridge
add admin-mac=CC:2D:E0:32:9B:E7 auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(28dBm), SSID: KGLAN, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(27dBm), SSID: KGLAN, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
#
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
bridgeLocal
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Denver
/system identity
set name=MTAP-EC
/system routerboard settings
set auto-upgrade=yes boot-device=nand-only
/tool sniffer
set filter-ip-address=192.168.1.246/32 filter-port=dns memory-limit=5000KiB

Additional information:
I hard coded the DNS address of 8.8.8.8 in the wireless adapter and connected the client to the cAP. I already had firewall rules in the router to record who accesses external DNS servers and what servers were being accessed. Packet sniffer and the address lists verified that DNS requests/responses were coming from and going to the client. I ran packet sniffer on the hCap and verified the DNS requests/responses passed through in each direction. I ran packet sniffer on the cAP and verified the DNS requests were going out but the responses never came back. IMO, this eliminates the router as the source of the problem. I also updated the software of both the cAP and hAP to 6.46 beta 28 with no effect. In fact, I tried to update the cAP via Winbox by looking for an update but it said it could not resolve the DNS name. I remain stumped.

More additional information:
Playing with the cAP only, I tried various mode settings on the 2G interface just to see what happened. I rescanned and reconnected to the hAP after each change. None resolved the problem. I then returned the mode setting to station pseudo bridge which is what the Setup Repeater initially set. Still no luck. I then noticed that the wireless protocol was set to "any". I changed it to 802.11, rescanned and reconnected to the hAP. Success!

I then tried to repeat the steps on the 5G interface. Failure! I compared the 2G and 5G settings side by side and other than obvious frequency and protocol differences, the only difference I could see is with the Current Tx power. The 5G settings showed nothing whereas the 2G showed a table of rates with 0 transmit and and total transmit values. I doubt that it is significant but it was an observed difference.

I rebooted the cAP and the success on the 2G interface was still a success and the 5G interface was still a failure.

I am still stumped but it seems to me that the problem is with the cAP and it isn't anything I am doing wrong. I am going to ask Mikrotik support to review this topic.

I thought I found the problem, but it seems to only solve it for Windows. The bridges created by Setup Repeater on the cAP had ARP disabled. Once ARP was enabled on both bridges things started working for both radios. I do not know how ARP got disabled on the cAP. I reset the cAP configuration to no initial configuration and went through the steps I had gone through initially. This time the bridges had ARP enabled and things worked fine. I observed that when a Windows client first connects to the cAP, ARP entries are created on the hAP for the router and the client, with the client MAC address being the address of the main cAP radio for the virtual AP connected to. When the client connects to a different AP, the ARP entry in the hAP gets updated to have the real MAC address of the client. I have two wireless adapters on my PC so I could connect the second to the other radio of the cAP. Similar ARP list entries in the hAP was created and changed when I connected that adapter to another AP. Then I tried an iPad...

The iPad only works when connected to the cAP 5G radio. It connects to the cAP 2G radio but cannot access the internet. Interestingly, in either case no ARP list entries are created on the hAP for the iPad.