The configuration of the bridge and the switch chip is heavily interlinked so you'll have to add ether1 to the common bridge with vlan-filtering set to yes, use an unassigned VLAN ID for the WAN interface (say, 3333) and set ether1 as a hybrid port with "default vlan" 3333 and VLAN 500 permitted on it, and the interface to which that special client will be connected (say, ether2) as a hybrid port with "default vlan" 1 and VLAN 500 permitted on it.
Then, you'll have to use the /interface ethernet switch port and /interface ethernet switch vlan menus to "replicate" the settings in /interface bridge port and /interface bridge vlan.
So connect the PC from which you configure the box to one of the ports which will remain normal LAN ones, and set something like the following:
/interface vlan add name=wan-vlan vlan-id=3333
/interface list member add list=WAN interface=wan-vlan
Now move the WAN IP configuration (/ip address or /ip dhcp-client) from ether1 to wan-vlan; by that step you break the connectivity to internet via ether1.
/interface bridge port add bridge=bridge interface=ether1 pvid=3333 hw=yes
/interface bridge vlan
add bridge=bridge vlan-ids=1 tagged=bridge untagged=ether2,ether3,ether4,ether5
add bridge=bridge vlan-ids=500 tagged=ether1,ether2
add bridge=bridge vlan-ids=3333 tagged=bridge,ether1
now press Ctrl-X to actvate safe mode, and then issue /interface bridge set bridge vlan-filtering=yes protocol-mode=none
If you don't lose the management connection, you should also re-gain internet access at this step. If so, you can deactivate the safe mode to store this intermediate result, and continue by setting up the switch chip for hardware forwarding:
/interface ethernet switch vlan
add switch=switch1 vlan-id=0 ports=switch1-cpu,ether2,ether3,ether4,ether5
add switch=switch1 vlan-id=500 ports=ether1,ether2
add switch=switch1 vlan-id=3333 ports=switch1-cpu,ether1
/interface ethernet switch port
set ether1 default-vlan-id=3333 vlan-mode=secure
Now activate safe mode again before the following step:
set ether2,ether3,ether4,ether5 defaut-vlan-id=0 vlan-mode=secure
If your management connection survives this step, you can switch off safe mode an you're done.
If not, something has changed in handling of VID 1 and VID 0 between the chip and the CPU since the time I did something like this the last time a couple of RouterOS versions ago.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.