first of all, for petrik: I am not talking about "switch" feature, i normally don't use it so I can't give suggestions.
I am talking about a bridge of ports
I think that the first thing to do is isolation of hosts.
This can be done denying forwarding on access points and making a bridge rule that all that comes from bridge can't be forwarded on same or other ports:
/interface bridge filter
add action=drop chain=forward in-bridge=mybridge out-bridge=mybridge
so there will be no comunication between hosts connected to the bridge, thei will only be forwarded to other interfaces (it depends on other rules you'll have in firewall filter, and so on)
this in fact voids any dhcp coming from other hosts
then:
to bind ports and mac address you'll use bridge and drop unwanted traffic,
or maybe (not tried, but I think it can work) put the bridge in arp=disabled and manually populate arp table.
to reserve addresses to mac address you'll use dhcp reservations:
i think that using the internal dhcp server will be simpler, but if you want to allow a specific dhcp server connected to the same bridge to serve addresses, you'll put it in a rule that will be evaluated before the dropping one, so your bridge filter will be (in the example your dhcp server will be on ether2)
/interface bridge filter
add chain=forward in-bridge=mybridge out-interface=ether2
add chain=forward in-interface=ether2 out-bridge=mybridge
add action=drop chain=forward in-bridge=mybridge out-bridge=mybridge
(or maybe a more fine-grained rule accepting only dhcp traffic: udp 67 and 68)
consider also hotspot capabilities if you want to be more "aggressive" on unwanted traffic (hotspot will send reset packets to all unauthenticated clients)