Best practice to accomplish 2 wlans, 2 lans, one wlan+lan with direct access to ether1 (WAN)

In a typical situation and out of the box the hAP Mini will receive a DHCP WAN Internet IP from any device plugged into the Internet port (ether1), that works just fine for my purposes.

I’ve attempted to create a second wlan wlan2 for a different network with network addresses, pool, and dhcp server successfully for handing out 169.254.200.# addresses via wlan2.
I had a second bridge with the second DHCP server assigned to bridge2 and wlan2 as slave of bridge2.
I’m falling short on the best way to be able to have dhcp clients on the 169.254.200.0 wlan2 network to be able to access 169.254.200.20 out of ether1.
I’ve tried adding ether1 to bridge2 but that makes some of the default firewall rules for in/out invalid, it also allows dhcp addresses from 169.254.200.0 network dhcp server to be handed out to anyone on the layer 2 ptp bridge (rogue).
I thought I could then simply block dhcp server broadcasts from the second dhcp server from exiting ether1 but attempting that also causes firewall issues because in/out cannot be applied to slave interfaces.

I’ve been trying to accomplish the following as illustrated in the image:

I have a wireless ptp radio plugged into WAN (ether1) of the hAP Mini.
When the PTP link is up the hAP Mini will receive a DHCP WAN IP for internet access from the ISP.
There is a non-routable fallback IP address of 169.254.200.20 to access the ptp radio plugged into the hAP Mini WAN port (ether1) at all times.

I wanted to have 2 wlans:
internet_access (the default configuration of the hAP Mini has this enabled already)
fallback_access (I created wlan2, bridge2_fallback, addresses 169.254.200.1/24 network 169.254.200.0 interface bridge2_fallback, pool_fallback 169.254.200.2-169.254.200.19, dhcp server_fallback interface bridge2_fallback address pool pool_fallback)

Problems:
When I add ether1 to bridge2_fallback it causes in/out conflicts with IP firewall rules and advises ether1 slave cannot be used change to master (bridge2_fallback).
The DHCP server server_fallback is then capable of becoming a rogue dhcp server handing out addresses over the PTP radio link which is a layer2 bridge.

I thought I could simply block DHCP server server_fallback from becoming rogue by blocking udp 67 out interface ether1 but it is not allowed on a slave interface.

Can’t what I want simply be done with static routes?

I did not post a config because at this point I’m looking for the best method to accomplish what I’ve illustrated.

Assign 169.254.200.21/24 to ether1.

Set your wlan2 to use 192.168.100.0/24.

And put firewall rule to drop !192.168.100/24 to 169.254.200.0/24.

Won’t this prevent ether1 from getting a DHCP WAN IP from the ISP via the layer 2 ptp bridge?

The dhcp-client will still get an IP. You can statically add many IPs to a single interface.

I did think about that but I was thinking that would be far too easy, I should have just tried that from the beginning. That’s one thing I could never do on a Ubiquiti interface. I’m trying to become proficient with Mikrotik as RouterOS to me seems much more powerful than Vyatta-based EdgeMax.