Thanks mkx, finally, finally it works! Now I use the IP for the bridge BR1 and to allow ingress-filtering for frame-types=admin-all on ether1 did the trick.
This is my final configuration:
# oct/22/2021 14:17:54 by RouterOS 6.49
# software id = EK22-3R0R
#
# model = RBcAPGi-5acD2nD
# serial number = B9320B001B18
/interface bridge
add admin-mac=C4:AD:34:85:FC:6A auto-mac=no comment=defconf name=BR1 \
protocol-mode=none vlan-filtering=yes
/interface list
add name=BASIS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profil_intern \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profil_gast \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wlan2ghz-intern security-profile=profil_intern ssid=\
KICK@in wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge name=wlan5ghz-intern security-profile=\
profil_intern ssid=KICK@in wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6B \
master-interface=wlan2ghz-intern multicast-buffering=disabled name=\
vlan2ghz-gast security-profile=profil_gast ssid=KICK@gast wds-cost-range=\
0-4294967295 wds-default-bridge=BR1 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6C \
master-interface=wlan5ghz-intern multicast-buffering=disabled name=\
vlan5ghz-gast security-profile=profil_gast ssid=KICK@gast wds-cost-range=\
0-4294967295 wds-default-bridge=BR1 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2ghz-intern pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan5ghz-intern pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=vlan2ghz-gast pvid=15
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=vlan5ghz-gast pvid=15
add bridge=BR1 ingress-filtering=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASIS
/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=wlan2ghz-intern,wlan5ghz-intern \
vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=vlan2ghz-gast,vlan5ghz-gast vlan-ids=15
/interface list member
add interface=BR1 list=BASIS
/ip address
add address=10.10.10.77/24 interface=BR1 network=10.10.10.0
/ip dns
set allow-remote-requests=yes servers=10.10.10.254
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!BASIS
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=*2000010
/ip route
add distance=1 gateway=10.10.10.254
/system ntp client
set enabled=yes primary-ntp=10.10.10.254 server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=BASIS
/tool mac-server mac-winbox
set allowed-interface-list=BASIS
I edited the configuration on state of the default config for 192.168.88.1. So I could remove a few config lines which were obsolete and without any effect. But can I delete the firewall rules as well and without any effect?