We're separating a management vlan from users vlan, we need to disable all traffic (including arp, dhcp, etc) that aren't pppoe on users vlan.
We need it to prevent any broadcast flood, network scan and any access from non-authenticated users, hardware, etc.
How to do it correctly? Bridge filter? Do I need to add drop filters one-by-one to block each protocol except pppoe-discovery and pppoe-session?
Will it noticibly affect Mikrotik's performance?

CCR-1009-8G-1S-1S+ on ROS 6.42.5.