Your setup makes no sense to me, you have ether 1,4,5 as bridge ports but missing ether2,3, you name bridge DHCP-Server, why to confuse people?
This is what makes sense to me for the 2011 based on your diagram.
/interface bridge
add name=bridge2011 vlan-filtering=yes
/interface vlan
add interface=bridge2011 name=vlan11 vlan-id=11
add interface=bridge2011 name=vlan33 vlan-id=33
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=management
/interface list members
add interface=vlan11 list=management
/ip neighbor discovery-settings
set discover-interface-list=management
/ip pool
add name=dhcp_pool33 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool33 disabled=no interface=vlan33 name=dhcp33
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1
/ip address
add address=192.168.1.XX interface=vlan11 network=192.168.1.0 { whatever IP you statically set for the 2011 in vlan11 in the CRS device }
add address=192.168.4.1/24 interface=vlan33 network=192.168.4.0
/interface bridge port
add bridge=bridge2011 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge2011 interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/interface bridge vlan
add bridge=bridge2011 tagged=bridge2011,ether2,ether3 vlan-ids=11,22
add bridge=bridge2011 tagged=bridge2011,ether3 vlan-ids=33
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 comment="dns through trusted subnet gateway"
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server mac-winbox
set allowed-interface-list=management
Now the problem that could arise as your requirements are weakly stated, is the traffic flow for vlan33.
Are you thinking that vlan33 traffic goes past the RB2011? Ie to the CRS and perhaps to internet etc............
If so the CRS will not know where to send returns of such traffic so you have two choice......
1. Create a route on CRS something like
add dst-address=192.168.4.0/24 gateway=192.168.1.XX ( fixed static IP of RB2011 )
OR
2. sourcenat all the vlan33 traffic, so it looks like its coming from the RB2011 vlan11........
add chain=srcnat action=masquerade src-address=192.168.4.0/24