Your life would be much easier if you choose to go VLAN all the way. Lots of (correct) and great examples can be found in this topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
In regards to the firewall, you could consider allowing explicitely and dropping everything else. Just make sure that you allow access to yourself so you can still manage the device.