Specifically DHCP, but windows broadcasts, etc.

Belair has a feature that stops all broadcasts from going out the wireless interface, unless from a specified list of MAC addresses. I am looking to duplicate that feature. Any idea what to select in the firewall to target broadcast packets? I can figure out the rest I am fairly certain.

router setup ?? WDS with bridge or routing ?

These would be on Mikrotiks converted to APs, either wired or bridged. They wouldn't do any routing.

in bridge firewall drop dst-mac ff:ff:ff:ff:ff:ff, but add static arp for hosts

Not exactly what I am looking for.
Here is the description from the Belair Manual
"When configured in secure port mode, the AP forwards to the associated wireless clients only those Layer 2 (Ethernet) frames for which the source MAC address and VLAN matches an entry its white list. The white list can contain up to 32 entries. If a VLAN is not specified, it is assumed to have a value of zero. In effect, while in this mode the AP acts as a firewall for all Layer 2 frames arriving from inside the network for the wireless clients. The secure MAC white list should only contain the MAC addresses of the gateway interfaces. Thus, wireless clients associated to other APs in the network are prevented from communicating with locally associated clients.
Note 1: The secure MAC white list is different from the list described in “Wireless Client Access Control List” on page 90. In a client ACL, only the listed MAC addresses are allowed to associate with an AP. The secure MAC white list controls data forwarding to the wireless clients from remote entities in the network. The content of the secure MAC white list takes effect only when the AP secure port mode is enabled."

the AP forwards to the associated wireless clients only those Layer 2 (Ethernet) frames for which the source MAC address and VLAN matches an entry its white list.

maybe something like ?

accept whitelisted entries, then drop all the rest...