Yes first set up an "admin" network so you can always log into the AP directly by wifi even if Ethernet is misconfigured. This network should have a static IP address of something .1 which is a different subnet range than anything else you're using. It should have a DHCP server, and of course a wifi AP. It doesn't need a firewall zone or any firewall rules as long as the default rule is to accept input and output. Or you can place it in the lan zone.
In DSA, in order to tag packets on a port and also have the switch properly add and remove tags and hardware switch to other ports, you must use bridge-vlans. The notation 'lan1.X' is not valid in any bridging situation which will also involve hardware switching.
I followed your advice, connecting my management pc to the AP’s port with a wire, now I can save the config where u u u t|* VLAN filtering is set to lan1-4 for the br-lan device, and the LAN interface uses br-lan.1.
However, my WiFi client can not access the AP as previously. The client's ARP requests looking for the the AP never showed up in the AP's br-lan or br-lan.1 interface. Only my wired pc is able to access the AP.
I had a ghost wifi-iface created that I thought should be irrelevant so I removed it when pasting the config here, it had isolate enabled. Turns out that option on an supposedly irrelevant WiFi can somehow make the AP ignore ARP requests from any SSIDs. Sorry for being presumptuous.
Thanks for helping me along the way, I don't think I'd have the perseverance without your (and others') troubleshooting.
A tangential question: if the isolation option should not be used, how can I prevent WiFi clients from talking to each other without affecting other things?