SwOS ACL issues, trying to pass only PPPoE

Hello,
I’m new to this forum (not new to networking in general, in fact running a small local WISP over 100 customers - just mostly Linux and the other well known brand of radios so far, beginner in RouterOS), please try to be gentle.
I’m trying to set up a RB250GS (latest SwOS v1.4) to pass only PPPoE (ethertypes 8863 and 8864) without any VLAN tags in both directions between port 1 and any of port 2-5 (connected to WAN ports of routers of different customers offices in the building), but still allow remote management from port 1.
I don’t have screenshots as the device is no longer accessible right now (still passes traffic though), but here is what I tried.
Forwarding between 1 and 2-5 was easy, but I also want to block everything except PPPoE.
I assumed the ACLs don’t block management access, but they sometimes do.
My first attempt was with 5 rules in this order (leaving other fields empty):

1. from ports 2-5, vlan not present, ethertype 8863, redirect to port 1
2. from ports 2-5, vlan not present, ethertype 8864, redirect to port 1
3. from port 1, vlan not present, ethertype 8863, no action (= accept)
4. from port 1, vlan not present, ethertype 8864, no action (= accept)
5. from ports 2-5, vlan any, redirect to no ports (= drop)
   Then clicked Apply and it seemed to work, but when I clicked the System tab and then ACL tab again, there were still 5 rules but they were different (the last one had ethertype too, etc.). Saving config backup didn’t work (just hung, but the device was still accessible). Sorry, no screenshot because later I’ve tried this:
6. from ports 1-5, vlan not present, ethertype 8863, no action (= accept)
7. from ports 1-5, vlan not present, ethertype 8864, no action (= accept)
8. from ports 1-5, vlan any, redirect to no ports (= drop)
   Now, the device still passes PPPoE traffic as it should (PPPoE sessions are up), but lost web/SNMP/ping access. I still sends 5678/udp broadcasts every minute with the correct source IP, so the CPU is not totally hung. My mistake was to include port 1 in rule 3, but I’ve read somewhere that the ACL has no effect on management access (that’s what Allow From is for), and wanted to limit unnecessary traffic (mostly broadcast) going to customers routers (ports 2-5) while still allowing remote management from port 1. I hope the reset button will work when I visit that location again.
   Any suggestions, what am I doing wrong in the first example, or is it a bug in SwOS? I don’t really need gigabit ports there, so could use a RB750 instead - price is similar, but I thought a switch would be a easier to set up and have lower power consumption (PoE over long cable from battery backup supply).