Wrong address: to-addresses=172.168.0.5
If it takes resolver from dhcp, then it should work. The address (172.16.0.254) is correct and whole 172.16.0.0/24 is in LocalLAN list, so it should be allowed. Just make sure that device isn’t probing the router for some reason and doesn’t end up in Port-Scanner list, because blocking based on that happens before allowing access from LAN (you might want to change that, together with rule to allow established & relate).
You wrote about dns problems, so I was looking for that. But looking at all the rules again, dns is not your problem. You only allow new connections from bridge-local, but you need to add another rule to allow them also from ether2-dmz. And master-port=none is correct for ether2-dmz, if you want to have it as independent interface.
Isolated is default state. Only when you set one port to be master of another, you put them together and they start to behave like switch. You can think about single port as master if you want, in a way that it’s isolated from other master ports.
Of course isolated here means only that L2 traffic does not travel between ports. But router will try to forward any IP traffic it can between different ports (single or switched ones). If that’s not desired, you have IP firewall to stop it.