Just in case this can help someone else. The config below is what I used on a CRS112 and hAP ac2 to get user VLANs, and management IP's with CAPsMAN.
192.168.99.1 is my router/firewall (config not included)
192.168.99.2 is my CRS112 switch/PoE supply, and CAPsMAN.
Port 1 goes to 192.168.99.1 with all the VLANs
Ports 2,3,4 are for user devices / VLAN 20
Ports 5,6,7,8 are for the hAP ac2 devices to connect to.
192.168.99.3+ are my Wireless AP/PoE switches
VLAN 99 is for switch communications.
This config is functional but may need extra bits around the user credentials, and doesn't have any additional security features (cross VLAN traffic is via the router/firewall). For the CRS112 I reccomend connecting via the console port so you don't loose your connection.
############# CRS112 config
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
/interface vlan
add interface=bridge name=vlan99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5 mac-level-isolation=no
/interface bridge port
add bridge=bridge edge=no interface=ether1 point-to-point=no
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
## Assign outbound/egress VLANs
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=20
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=30
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=40
add tagged-ports=switch1-cpu,ether1,ether6,ether7,ether8 vlan-id=99
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=1
## Assign inbound/ingress VLANs
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
add customer-vid=0 new-customer-vid=20 ports=ether2
## Assign ports to VLANs
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=20
add ports=ether1,ether5,ether6,ether7,ether8 vlan-id=30
add ports=ether1,ether5,ether6,ether7,ether8 vlan-id=40
add ports=switch1-cpu,ether1,ether6,ether7,ether8 vlan-id=99
## Assign IP address (management) to a VLAN
/ip address
add address=192.168.99.2/24 interface=vlan99 network=192.168.99.0
# CAPsMAN Bits, with my locality setup for Australia update it for your location.
/caps-man configuration
add country=australia datapath.interface-list=all datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag distance=\
indoors installation=indoor name=Config_homeusers security.authentication-types=wpa2-psk ssid=homeusers
add country=australia datapath.interface-list=all datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag distance=\
indoors installation=indoor name=Config_guests security.authentication-types=wpa2-psk ssid=guests
add country=australia datapath.interface-list=all datapath.local-forwarding=no datapath.vlan-id=40 datapath.vlan-mode=use-tag distance=indoors \
hide-ssid=yes installation=indoor name=Config_IoT security.authentication-types=wpa2-psk ssid=IoT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=ether6
add disabled=no interface=ether7
add disabled=no interface=ether8
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_homeusers slave-configurations=Config_guests,Config_IoT
############# hAP ac2 configs
## Setup the bridge
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface wireless
## Setup the VLANs. VLAN 20 is made available on the 4 ethernet ports on the device.
/interface vlan
add interface=bridge1 name=mgmt vlan-id=99
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=20
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
add bridge=bridge1 tagged=ether1 vlan-ids=40
add bridge=bridge1 tagged=ether1 vlan-ids=30
## Setup the wireless as a CAP, and to talk to the CAPsMAN via an IP address.
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.99.2 enabled=yes interfaces=wlan1,wlan2
## Assign the IP address to the device, the IP address needs to be changed so there are no duplicates.
/ip address
add address=192.168.99.3/24 interface=mgmt network=192.168.99.0
/ip route
add distance=1 gateway=192.168.99.1
############# General config on all devices, for my locality in Australia
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.99.1
/system clock
set time-zone-name=Australia/Sydney
/system ntp client
set enabled=yes server-dns-names=au.pool.ntp.org
/ip neighbor discovery-settings
set discover-interface-list=!dynamic