Hi @saka, you haven't stated the most important part (or I haven't understood it from your post) - are all the devices including the camera and the POS terminal able to tag/untag the frames with a VLAN tag themselves, or do they depend on the switch doing that for them? If the PC is running Windows, it most likely needs the switch to tag/untag the frames, Linux PCs can usually do that themselves.
So - if all your connected devices, or all but one, can handle VLAN tagging on themselves, an unmanaged switch is enough and you only need the two Mikrotiks to communicate wirelessly in bridging mode so that they would pass the tagged VLAN frames transparently between the trunk port at the C2960 and the dumb switch at the security station, and if the single device needs the VLAN tagging/untagging to be done externally, to do that on the Mikrotik.
If more than one device connected on the security station needs the tagging/untagging to be done externally, I would prefer a managed switch, because it is possible to do the task of converting "mac-based VLAN" into "tag-based VLAN" on the Mikrotik, but such solution is poorly manageable. The dumb switch will not tell the Mikrotik from which of its ports the frame is coming, so the only identification you have is the MAC address of the device, which changes if you replace it by a new one.
So if you think about connecting just a single security station at the gate of some resort, the managed switch (which can be a hEX) will cost you less hair during maintenance; if you think about tens of such security stations, then maybe the savings on the price difference between a dumb switch and hEX can justify the workload associated to the maintenance of the MAC-based VLAN. Also think about the night when a camera fails and needs to be replaced - with managed switch, the guard can disconnect the old one, connect the new one to the same port and that's it; with MAC-based VLAN, you'll have to connect there and change the MAC in the filter rules on the Mikrotik radio to the one of the new camera.
One more reason to use a "better" switch would be that most cameras, many POS terminals, and almost all IP phones can be powered using PoE, so it's less burden with cabling if you use hEX PoE or an equivalent. But yes, there are also dumb switches with PoE, so it is again your time&nerves vs. the price of the switch.
Let me know if, despite all the disadvantages, you want to take the MAC-based way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.