Could someone help me translate below firewall rules to MikroTik config? (MikroTik router hAP ac3) 
(1) Easy answer is you do not have to worry about NOT seeing.
BY default with the last rule in your forward chain all VLANS are blocked from each other at Layer 3.
So all you need to state is what is allowed as everything is blocked!
(2) Question!
One thing I dont understand is if your Blue VLAN is your trusted VLAN, why not have access to all the vlans,
surely as admin you may have reason to see into the BLACK VLAN if nothing else for testing purposes.
So maybe you only want one the admin IPs to access Black but nobody else on VLAN BLUE ??
(3) Black is easy, its a WLAN where you dont want wifi clients to see each other and it should only have internet access.
All you have to do is on the wireless settings for this WLAN 6 is UNCHECK FORWARDING on the main wireless tab.
(4) Red is somewhat easy in that you have to make a new interface list for vlans allowed to the internet and then adjust the firewall rules accordingly.
This one tells me you want wifi clients to see each other and that is all on this WLAN 5.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/interface list (add the below)
…
add name=INTERNET
/interface list members
…
/interface list member (add the below)
…
add interface=BLUE_VLAN list=INTERNET
add interface=GREEN_VLAN list=INTERNET
add interface=BLACK_VLAN list=INTERNET
add interface=ether3-help list=INTERNET
Then change these two rules into one rule.
FROM
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=BASE out-interface-list=WAN
TO
add action=accept chain=forward in-interface-list=INTERNET out-interface-list=WAN
For the GREEN VLAN add this forward chain rule ( as in all cases with new accept rules they need to go BEFORE the drop all rule)
add action=accept chain=forward in-interface=VLAN-GREEN out-interface=VLAN-RED
For the BLUE VLAN, since its two subnets or interfaces you wish access then recommend:
/interface list (add the below)
…
add name=BROWN (the colour you get from mixing green and red LOL)
/interface list member (add the below)
…
add interface=RED_VLAN list=BROWN
add interface=GREEN_VLAN list=BROWN
Then add the following firewall rule
add action=accept chain=forward in-interface=VLAN-BLUE out-interface-list=BROWN
NOW IF YOU WANT BLUE to be able to access BLACK BUT ONLY THE ADMIN as one should be able to do. Suggesting adding the following rule -
add action=accept chain=forward in-interface=VLAN-BLUE out-interface=VLAN-BLACK src-address-list=adminaccess
where adminaccess is a firewall address list you create (from dhcp leases set statically)
add IP=IP of admin desktop list=adminaccess
add IP=IP of admin laptop list=adminaccess
add IP=IP of admin smartphone list=adminaccess
add iP=IP of admin ipad list=adminaccess
etc…
The reason of this is that if somehow one of my BLUE devices fall into the wrong hands from outside world (like viruses, being hacked or something like this),
then access to BLACK will be disabled at least. I’m not sure if there is any sense in this (is there?) but it was in my mind when I was writing about it.
Fair enough then simply dont add any rule from blue to black, with the drop all rule at the end, its dropped already. 
Almost everything works but there is only one problematic case:
I can successfully ping the Speaker from BLUE device. However I don’t see the Speaker to choose in my Phone.
If I switch phone from BLUE to GREEN (and the Speaker is also in GREEN) then I can choose the Speaker from Phone.
How is that possible? 
I think that the same problem could happen with Chromecast. (TO BUY - on my shopping list )
Is there any fix for this problem?
Yeah when you get into multicast attempts across vlans it gets dodgy.
No solution that I am aware of but others may have some fancy tricks up their sleeves.
(difference is that green to green comms is at layer 2, blue to green comms is at layer 3)
I have a few more basic questions:
How do you handle IOT devices on mikrotiks routers? Have you got the speakers and chromecast in one wifi with computers and mobile phones? If they are in the same wifi - have you set any additional firewall rules (or are you protected in any additional way)?
I know from previous answer that I can’t run chromecast or speakers from another vlan… its ok… but just to be sure - it means that I can’t use ANY devices from another vlan? or maybe I can’t run devices only of type like chromecast/speakers? For example: smart bulb is in RED, phone is in GREEN. Can I turn on bulb from GREEN?
It all depends. Routers generalky don’t break communication between devices from different networks, routers enable that communication. If something breaks the communication, it’s firewalls.
But: devices have to know with who to communicate. Many smart devices rely on broadcast mechanisms to find communication peers and routers block broadcasts. So if master device (controller or something alike) can be (manually) configured with IP addresses of slave devices, those addresses can be in different network and packets sent out will reach those devices just fine. Then slave devices could be configured to drop packets from networks other than own (for security reasons). Or slave devices might be inadequately configured (missing default gateway address) due to some reason. In both cases reply packets won’t get back to master device.
Which means that the easiest way of getting things play along is to keep all involved devices in same network (most such gadgets were designed with this objective). All other scenarios will potentially require a skilled person to implement everything needed in correct way.
If you insist you will need a rasberry pi and github LOL.
and a mnds reflector
http://forum.mikrotik.com/t/setting-up-avahi-reflector-in-mikrotik/139370/1
https://github.com/kennylevinsen/mdns-repeater
Could you give me a real world example to make it more clear for me? What devices are able to do that?
Beyond my capabilities sorry.