In your current configuration, your ap does not apply vlan tags to traffic on 192.168.2.0/24 including management of itself. Therefore you loose access to the AP when changing fe-0/0/2 to a trunk where the SRX expect vlan tagged traffic.
You have two options:
1. Configure vlan id 3 as native-vlan-id on the trunk port ( set interfaces fe-0/0/2 unit 0 family ethernet-switching native-vlan-id <name-of-vlan-with-vlan-id-3> ) This let's the SRX know which vlan to put untagged packets into.
2. Right before changing fe-0/0/2, log in to the AP as have it do vlan-tagging of it's management traffic to vlan id 3.
I first set fe-0/0/2.0 to trunk and include both vlan (with the vlan id 3 at top) then commit in J-Web.
Next, I run the command you provided and commit in command mode. It commit without error. But still unable to ping the AP (192.168.2.2). It return "Destination host unreachable".
And I have some questions:
1. Should the port connected to AP set to trunk? The AP uplink port seems no option for change port mode. Is trunk mode need to set on both ports in order to work?
2. In J-Web, the interface has option "Enable Vlan Tagging". Is this need to enable?
3. I have experience this kinds of settings is work IF there is a manage network switch. The ports connected between firewall and switch were set to trunk. Ports between switch and AP were access mode. Of course the switch has vlan config. Do I need to setup a switch just for that single interface?
If your AP is responding to untagged packets, then your switch needs to deliver it an untagged packet.
It can be done by putting the link between AP and switch in access mode but make sure that this access switch port is configured with the correct vlan tag or is a member of the single vlan-id configured on SRX.
Note that an access port needs to be a part vlan on the switch in order to transfer the traffic.
If there is no switch between SRX & AP, then you don't need fe-0/0/2 to be a part of 2 vlans. It can stay as a part of vlan.1 .
This is how I would connect to get this requirement working: -
1. Configure fe-0/0/1 and fe-0/0/2 in access mode.
2. fe-0/0/1 will be a part of vlan.2 (192.168.20.x) . Assuming 20.x subnet is only needed by Wired network.
3. fe-0/0/2 will be a part of vlan.1 (192.168.2.x) . Here I am assuming that the AP is capable of assigning IPs to its clients in the subnet 192.168.2.x .
4. Make a security policy between the zones of vlan.1 & vlan.2 to allow traffic between the vlans and to the itnernet too.
Another scenario can be that you want your AP to be managed by 192.168.2.2 subnet but assign 192.168.20.x subnet to AP's client. In this scenario, your AP interface needs to be vlan tagged on the AP and fe-0/0/2 will be "trunk" mode with both vlans.