Well.. more elegant... Using switch chip rules for the purpose means not adding any load to the CPU, so the only better solution would be to apply the switch chip rules directly on the 5009 rather than on the 309. But I don't have one handy, so you have to check on your own whether the switch chip used in the 5009 can match on vlan ID and source IP address simultaneously. And you would have to apply the rules on the CPU port since they are used on ingress, so be careful and test with a single source IP address and a VLAN ID that is not essential, otherwise you can easily lock yourself out.
I had the exact same thought, and I tried applying the same basic rules that work on the crs309 to the switch chip on the rb5009 and they seemed to have no effect, whether using the cpu interface or the sfp interface. I might have been doing something else wrong though, not sure.
Here are the rules from the crs309:
/interface ethernet switch rule
add comment="drop 10.0.0.0/8" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=10.0.0.0/8 switch=switch1 vlan-id=1000
add comment="drop 172.16.0.0/12" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=172.16.0.0/12 switch=switch1 vlan-id=1000
add comment="allow to 192.168.1.254" dst-address=192.168.1.254/32 ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.1.0/24 switch=switch1 vlan-id=1000
add comment="allow from 192.168.1.254" dst-address=192.168.1.0/24 ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.1.254/32 switch=switch1 vlan-id=1000
add comment="drop 192.168.0.0/16" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.0.0/16 switch=switch1 vlan-id=1000
Or find a USB-to-serial converter and configure serial console before adding any switch chip rules. Removing an interface from a bridge and using it as a backup management interface is not enough, as the traffic of all ports always flows through the switch chip.
funny you say that, I totally locked myself out of my crs309 earlier and had to use a serial console to get back into it
For the unlikely case that you wanted to use bridge filter rules - the last time I tried that with late 6.48 or early 6.49, it was not possible to match on VLAN ID and IP address simultaneously, but maybe 7.x has improved in that regard. There also used to be an issue with endianness of the ethertype (mac-protocol) value on some architectures. So it would require quite a lot of testing if you wanted to go that way, but the switch chip rules on the 5009 seem the best by far to me. The workaround to matching on IP address and VLAN ID at the same time is to use an auxiliary bridge, but I would not call that "elegant".
from poking around in bridge filter rules it seemed fairly limited, but I'm pretty new to mikrotik world so I very well might be missing something.
Thanks again for all of your (and others) help on this.