First Time Mikrotik - I am lost :-/

Hi,
i got a RouterBoard 2011UiAS-RM and try to use it as my Router at home. I’m an expired Cisco-Admin so i have a good understanding of networks but the configuration of the RouterBoard is driving me crazy so i need help.
(btw: i am from Germany so… don’t expect excellent English )

I try to build the following home Network:

The plan was to use the RouterBoard like a L3-Switch.
The RouterBoard should be the L3-Border for the DATA and the WLAN Network - routet via Transport Networks to the Firewall. (Trunk on 8 and 9)
The VOICE and the WAN vlan are only Switched (separated on L2). Gateway for VOICE is the Firewall. The WAN vlan needs the Way back to the RouterBoard to capture the WAN-Traffic stats with the RouterBoard.
The MGMT vlan should be switched between Firewall and Routerboard with SVI (Port 1 and 8 ).

Btw: I tried to configure via winbox - I thought it would be more intuitive and faster get into Mikrotik.

First of all i made a config reset - because i don’t like default configurations
Then i created vlans under “Switch - vlan”. There was the first thing that confused me… why the hell do i have to give it a physical Interface? It’s a vlan - it doesn’t need one to exist… but ok, i thought this gonna be the untagged ports - but by enabling the VLAN mode on the Switch interfaces, i recognized that there is the possibility to configure a native vlan…

So i decided to configure all VLANs under “switch -vlan” - assign every port to its vlan and then configure the “access-port” as vlan mode secure, always strip, default vlan.
For the Trunks: mode: secure, add if missing, no default vlan.
I thought this sounds good… must be ok.

Then i configured the VLAN-Interfaces (SVI) - “Interfaces - VLAN” … and again: a physical port? For an SVI? Makes no sense to me…
So i got the idea, that these are no SVIs - this are Subinterfaces on a Route-port (Compared to Cisco).

Next Idea was to create Bridges - assign the Ports to the Bridges and then create a VLAN-Interface that has a Bridge as Interface… makes sense… but didn’t work.
I also read something about Bridges and Mikrotik and found out, that there are also 2 switch chips, that can do the job better… now im totally confused…

I tried many things the last few day but couldn’t get it working

… you see… i am very confused ^^
How can i get my Network working in the most performant way?
And by the way: To separate the Networks on L3 i usually would use VRF-Lite - is there something similar on the RouterBoard to separate Routing tables and Processes and anything else on L3?

At least initially, I would not bother with the switch chip. Currently the switch chip VLAN configuration is completely separate from the bridge (software) VLAN configuration, and this leads to a lot of confusion. The plan afaik is to soon bring the switch chip VLAN configuration under the umbrella of the bridge VLAN configuration, so that the current VLAN configuration option in the switch settings will be removed (to my knowledge). Unless you need to do things that way for performance reasons, I would suggest using the bridge-based VLAN configuration and do not configure any VLAN settings under the switch chip, leave those at the default. If you are bridging a very large amount of traffic you might need to use the switch chip VLANs for performance but then those will need to be configured in a few different places, and that will take you longer to figure out if you are new to the platform.

I would not use VRF’s simply to prevent connectivity between different subnets - MikroTik has the firewall feature that allows you to block traffic between subnets. You can simply create rules to block forwarding between the VLAN interfaces that you do not want to talk to each other. You can also create ‘interface lists’ if you find it easier to work with, those allow you to create a ‘group’ of interfaces (like a group of VLAN interfaces) and then you can assign firewall rules based on the group of interfaces.