You put the necessary ports in a separate bridge, hang up a dhcp server on it and write a src-nat rule to access the Internet.

Yes, it is necessary that there be isolation between networks

For this task, you need to assign an ip-address to the desired port (bridge, if you need several ports) and throw it out into the world with NAT.

/ip address
add address=10.1.2.1/24 interface=ether2 network=10.1.2.0 comment="DMZ"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

We configure DHCP for the option when PCs receive settings only through a router. Even if the settings are manually entered in the PC settings, this will not be reflected in the ARP tables and such a device will not work.

/ip dhcp-server
add address-pool=dmz interface=ether2 name=dhcp-dmz add-arp=yes
/ip dhcp-server network
add address=10.1.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.2.1 netmask=24
/ip pool
add name=dmz ranges=10.1.2.2-10.1.2.254
/interface ethernet
set [ find default-name=ether2 ] arp=reply-only

If you need reinforced concrete network insulation, go to ip→routes→rules

/ip route rule
add action=unreachable dst-address=10.1.1.0/24 src-address=10.1.2.0/24
add action=unreachable dst-address=10.1.2.0/24 src-address=10.1.1.0/24

The same can be done through ip→firewall→filter , but it is more concrete, because the routes are processed earlier and guarantee that everything will be isolated, even if there is a jamb / hole in the firewall.