I'd add a switch to this environment, create a VLAN for your IOT devices, set your PC's up on another VLAN this could be VLAN for Trusted-Wifi and your wired PC's(and anything else you trust), perhaps a third VLAN for your NVR equipment. Do the VLAN's at the switch level, set up a trunk port...
A decent router honestly shouldn't allow that, but I'm used to enterprise gear. I'd be surprised if you aren't dropping packets in this setup, unless Mikrotik is essentially a consumer router with a built-in switch with some enterprise software capabilities. I haven't used their products.
A routers job is to route between different subnets, aka different subnet on each port, I'd honestly be surprised is the router allows for this configuration, home routers allow it because their ports are basically an inbuilt switch. In this layout you are treating the router as a switch, it...
Do you use port security or sticky mac?
Try clearing the arp cache on the firewalls and switches that are needed to get through. Had issues before where our FW wouldn't let go of an old MAC,
Clear ARP and bounce the port the printer is on, check the config and make sure there isn't another...
Hidden SSIDs are the equivalent of hiding your pornstash on multiple nested folders, anyone who knows how to search files will find it, it's security through obscurity, which isn't really security. Same with MAC whitelist its really east to get the MAC of nearby devices and spoof them. But that...
You really need a vpn if you want to rdp externally to your machines on the network, without it...it's like a bank asking how to keep criminals from climbing in the open window and robbing them, you tell them to close the window and they do, but they open another window and the criminals climb...
If you indeed have two routers(the providers gateway router that you would have no control over), and than your own internal router(one you control) and the provider is setting routes to your internal router than if you change the IP address of your router they would need to update their routes...
What versions are you running? This looks like an earlier bug with dnsmasq and ooenwrt but should be fixed https://bugs.openwrt.org/index.php?do=details&task_id=673
Create a new subnet and dhcp pool separate from your main network, assign the port that is connected to your wireless bridge to a VLAN, confirm VLAN is working by checking IPs of devices in other building should be on the new network you created, normally you'd have to set-up inter-vlan routing...