Two vlans, the non-iot one should be your trusted vlan
just dont assign the iot vlan to the LAN interface list, so that a LAN to WAN firewall rule will not permit the iot vlan to the internet.
To setup vlans use
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1