@darknate, stick to the harder stuff its where you excel, will never come close to 1/32 that you know but leave the easy pickings to the those that are used to mucking in the mud
At OP, Taking a look at your config it looks excellent!
(1) However needs slight adjustment on /interface bridge vlans for close to perfection.
You have
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
Needs to be
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 untagged=wlan1 vlan-id=10
add bridge=BR1 tagged=ether1 untagged=wlan2 vlan-id=20
add bridge=BR1 tagged=ether1 untagged=wlan3 vlan-id=30
Note, you can leave out the untagged in this case, but I prefer to put in the config so
that they are visible in an export of the config and one can cross match easily with bridge ports to see what you have done (even more so if ever using hybrid ports)
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 vlan-id=10
add bridge=BR1 tagged=ether1 vlan-id=20
add bridge=BR1 tagged=ether1 vlan-id=30
(2) Minor change............ mac-server is not a secure access method and thus should not be utilized.
From
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
(3) Add this line.
/ip dns
set allow-remote-requests=yes servers=192.168.88.1 comment="dns through trusted subnet gateway"