My ISP won't respond to DHCP request for getting a public IP if the request is NOT with a particular QoS on the 802.1q header.
There is no QoS field in the 802.1q header. Nor is there a COS field, which explains my trouble searching for information to help you. Please use the correct terms.
I assume you're referring to the priority code point field (PCP) instead, which RouterOS calls the vlan-priority. I've never run across a need to set the PCP field, but I think you can get what you want with something like:
/interface/ethernet/switch/rule
add ports=ether1 dst-port=67 protocol=udp mac-protocol=ip \
vlan-id=832 vlan-priority=6
See the docs on
switch chip rules for details. I don't have an RB5009 here to test with, but at the top of that page, it says the switch chip in that model has room for 256 rules.
Incidentally, I suspect you don't need to restrict this rule to DHCP. Setting the same VLAN priority for all traffic might be legitimate; ask your ISP's techies. If that's right, you're thinking in terms of DHCP only because it's the first thing that must succeed on this interface. That doesn't mean the priority must change after the DHCP exchange is complete.
I don't understand what you mean with
Now that you've discovered that you have only one hardware bridge, it's sensible to put the WAN port outside it, forcing all traffic to cross the CPU
Sensible as a security issue ?
Or performance issue ?
I'm saying that if you can have only one hardware bridge, it's sensible to use that for the LAN-side ports, since there's more than one, and bridging them together is what you normally want to do.
(Contrast LAN-side routing, which is uncommon with RB5009 class devices beyond basics like inter-VLAN routing.)
That leaves two options for the WAN-side port: put it in a bridge, which must be a software bridge under the limitations for this model of router, or don't put it in a bridge at all. Since you don't get the benefit of hardware bridging either way, and bridging is causing you trouble, why not take the second option?