http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
On the 5009, port with traffic will either be:
a. access ports going to dumb devices, untagged for the vlan associated with that device.
b. trunk port going to smart devices (that can read vlan tags) carrying all the vlans that the device is responsible for forwarding ( AP over wifi, Switch on its other ports access or trunk as appropriate )
c. trunk port should also carry the trusted or managment vlan ( used at the minimum to provide smart devices with their IP address on that vlan and perhaps also data (trusted vlan).
If you have unifi APs, then hybrid ports are probably required (at least if the default setup on unifi is not changed ).