Good point, I indeed didn’t explain my intent.
So the 4 PoE ports should be members of VLAN 11, 12 and 13. Where VLAN 13 should have a route to the Internet, just like VLAN 10. On VLAN 13 I’ll run websites and other online services. VLAN 10 is just the default gateway to the Internet and the rest of my LAN. VLAN 11 and 12 should be closed from the Internet and the rest of the LAN.
So I want to be able to manage access to these networks. VLANs are setup, but I would prefer to also have a firewall from the Mikrotik in front of it.
If disabling the router functionality can be done and still have a L3 firewall, then that sounds great. I hope that doesn’t mean I have to use the software bridge. Because if I enable VLAN filtering there, hardware offload is disabled and the performance is quite low.