VLAN possible?

Hi
This is for a home setup
I have a ISP supplied fiber modem, that is bridged. That is connected to my RB750Gr3 via ethernet 1.
The RB750Gr3 ethernet 2 is connected to a simple network switch, to witch to Raspberry Pi:s and a Eufycam Homebase 2 is connected. One of the RPis is running Home Assistant and the other running PiHole (my home DNS).
The RB750Gr3 ethernet 3 is connected to a Netgear MR60 wireless access point which the bulk of phones, chromecasts, tvs, laptops, sonos, and phones are connected.

I want to create a set of VLANs to isolate primarily my IoT devices that might be more prone to be “unsecure”, but still enable Home Assistant to communicate with these freely.
I’m guessing this would be something like this;

I have tried to read up on the topic, but I feel that it’s way too hard to read so much that I can create it all correctly from scratch…

So Im asking for help;
Could someone help me out with the creation of these VLANs, how to set them up, and place my devices in the right category, and also implement the correct rules to make the communication between them work?

It would be much appriciated =)
Best of regards!

# dec/17/2021 16:19:35 by RouterOS 7.1
# software id = M2VH-09C3
#
# model = RB750Gr3
# serial number = D5030E324875
/interface bridge
add admin-mac=2C:C8:1B:A5:14:C0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-port-Drosk-ISP-Modem
set [ find default-name=ether2 ] comment=LAN-Drosk-Switch
set [ find default-name=ether3 ] comment=LAN-Droskv-MR60-AP
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=10.0.0.90-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script=":local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  :local ttl\r\
    \n  :local domain\r\
    \n  :local hostname\r\
    \n  :local fqdn\r\
    \n  :local leaseId\r\
    \n  :local comment\r\
    \n\r\
    \n  /ip dhcp-server\r\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network \r\
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  \r\
    \n  .. lease\r\
    \n  :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\r\
    \n\r\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\r\
    \n  {\r\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\r\
    \n   :error \"multiple active leases for \$leaseActIP\"\r\
    \n  }  \r\
    \n\r\
    \n  :set hostname [ get \$leaseId host-name ]\r\
    \n  :set comment [ get \$leaseId comment ]\r\
    \n  /\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\r\
    \n    :error \"empty lease host-name or comment\"\r\
    \n  }\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\r\
    \n    :error \"empty network domain name\"\r\
    \n  }\r\
    \n\r\
    \n  :set fqdn \"\$hostname.\$domain\"\r\
    \n  \r\
    \n  /ip dns static\r\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\r\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\r\
    \n  } else=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \r\
    \n  }\r\
    \n  /\r\
    \n} \\\r\
    \nelse=\\\r\
    \n{\r\
    \n  /ip dns static\r\
    \n  :local dnsDhcpId \r\
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n\r\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\r\
    \n    remove \$dnsDhcpId\r\
    \n  }\r\
    \n  /\r\
    \n}" lease-time=6m name=defconf
/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.0.33 client-id=1:dc:a6:32:ba:2d:3e mac-address=\
    DC:A6:32:BA:2D:3E server=defconf
add address=10.0.0.43 mac-address=A8:BB:50:D5:3A:D4 server=defconf
add address=10.0.0.42 mac-address=A8:BB:50:D5:38:10 server=defconf
add address=10.0.0.40 mac-address=A8:BB:50:D5:44:CA server=defconf
add address=10.0.0.45 mac-address=6C:29:90:51:82:42 server=defconf
add address=10.0.0.41 mac-address=A8:BB:50:D5:3A:0E server=defconf
add address=10.0.0.38 client-id=1:8c:85:80:62:22:20 comment=\
    "Eufycam Barnrummet" mac-address=8C:85:80:62:22:20 server=defconf
add address=10.0.0.3 client-id=1:28:80:88:29:17:2d comment=MR60 mac-address=\
    28:80:88:29:17:2D server=defconf
add address=10.0.0.5 client-id=1:2:f:b5:25:e4:ef mac-address=\
    02:0F:B5:25:E4:EF server=defconf
add address=10.0.0.35 mac-address=02:0F:B5:01:AE:2C server=defconf
add address=10.0.0.55 client-id=1:0:4:4b:ef:f7:4 comment="Nvidia Shield TV" \
    mac-address=00:04:4B:EF:F7:04 server=defconf
add address=10.0.0.15 client-id=Tablet_001 mac-address=60:D9:A0:E9:FA:5A \
    server=defconf
add address=10.0.0.12 client-id=1:38:fb:14:9b:c9:e comment=Ebba mac-address=\
    38:FB:14:9B:C9:0E server=defconf
add address=10.0.0.13 client-id=1:8e:74:4c:e9:64:fb comment=\
    "Isabellas telefon" mac-address=8E:74:4C:E9:64:FB server=defconf
add address=10.0.0.53 client-id=1:0:e:58:72:22:78 comment="Sonos Vardagsrum" \
    mac-address=00:0E:58:72:22:78 server=defconf
add address=10.0.0.52 client-id=1:34:7e:5c:82:4e:8e comment="Sonos TV-rum" \
    mac-address=34:7E:5C:82:4E:8E server=defconf
add address=10.0.0.14 client-id=1:fe:62:4e:f8:82:d6 comment="Linneas telefon" \
    mac-address=FE:62:4E:F8:82:D6 server=defconf
add address=10.0.0.51 comment="Sonos Kok" mac-address=78:28:CA:22:43:4A \
    server=defconf
add address=10.0.0.37 client-id=1:8c:85:80:77:42:75 comment=HomeBase2 \
    mac-address=8C:85:80:77:42:75 server=defconf
add address=10.0.0.11 client-id=1:e2:40:26:e:25:cd comment=Sofie mac-address=\
    E2:40:26:0E:25:CD server=defconf
add address=10.0.0.10 client-id=1:34:79:16:ac:a4:26 comment=Andreas \
    mac-address=34:79:16:AC:A4:26 server=defconf
add address=10.0.0.16 mac-address=D0:F8:8C:21:F1:04 server=defconf
add address=10.0.0.31 comment=PiHole mac-address=00:00:10:01:49:4A server=\
    defconf
add address=10.0.0.4 client-id=1:10:c:6b:4a:4a:74 comment=MS60 mac-address=\
    10:0C:6B:4A:4A:74 server=defconf
add address=10.0.0.56 client-id=1:48:6d:bb:d7:97:1b mac-address=\
    48:6D:BB:D7:97:1B server=defconf
add address=10.0.0.17 mac-address=54:27:58:F0:16:95 server=defconf
add address=10.0.0.60 client-id=1:80:c5:f2:ca:3d:73 comment=\
    "Andreas laptop wifi" mac-address=80:C5:F2:CA:3D:73 server=defconf
add address=10.0.0.18 client-id=1:66:63:40:90:a5:47 comment="Maja iPhone" \
    mac-address=66:63:40:90:A5:47 server=defconf
add address=10.0.0.61 client-id=1:5c:80:b6:f7:9a:2c comment=\
    "Sofie laptop wi-fi" mac-address=5C:80:B6:F7:9A:2C server=defconf
add address=10.0.0.19 client-id=1:60:7e:c9:aa:21:ec mac-address=\
    60:7E:C9:AA:21:EC server=defconf
add address=10.0.0.20 client-id=1:4e:9f:b6:b5:72:62 comment="Elsas iPad3" \
    mac-address=4E:9F:B6:B5:72:62 server=defconf
add address=10.0.0.21 client-id=1:22:8c:47:a1:db:a2 comment="Majas iPad4" \
    mac-address=22:8C:47:A1:DB:A2 server=defconf
add address=10.0.0.62 client-id=1:ac:89:95:f6:6a:5b comment=\
    "Linneas Skoldator" mac-address=AC:89:95:F6:6A:5B server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 domain=drosk \
    gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=10.0.0.15 comment=#DHCP name=android-2d3eb2e5c2b44bfa.drosk ttl=\
    6m
add address=10.0.0.43 comment=#DHCP name=wiz_d53ad4.drosk ttl=6m
add address=10.0.0.40 comment=#DHCP name=wiz_d544ca.drosk ttl=6m
add address=10.0.0.4 comment=#DHCP name=MS60.drosk ttl=6m
add address=10.0.0.41 comment=#DHCP name=wiz_d53a0e.drosk ttl=6m
add address=10.0.0.45 comment=#DHCP name=wiz_518242.drosk ttl=6m
add address=10.0.0.3 comment=#DHCP name=MR60.drosk ttl=6m
add address=10.0.0.37 comment=#DHCP name=HomeBase2.drosk ttl=6m
add address=10.0.0.35 comment=#DHCP name=Telldus-TellStick-ZNet-Lite-v2.drosk \
    ttl=6m
add address=10.0.0.38 comment=#DHCP name="Eufycam Barnrummet.drosk" ttl=6m
add address=10.0.0.11 comment=#DHCP name=Pixel-4a.drosk ttl=6m
add address=10.0.0.10 comment=#DHCP name=HUAWEI_P30-7b1c4007e5df17.drosk ttl=\
    6m
add address=10.0.0.56 comment=#DHCP name=ANDERSSON-TV.drosk ttl=6m
add address=10.0.0.60 comment=#DHCP name=Andreas-ASUS.drosk ttl=6m
/ip firewall address-list
add address=123.123.123.123 disabled=yes list=WANs
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=wg dst-port=51845 in-interface-list=\
    WAN protocol=udp to-addresses=10.0.0.31 to-ports=51845
add action=dst-nat chain=dstnat comment=piholeNAT1 dst-address=!10.0.0.31 \
    dst-port=53 in-interface=bridge protocol=udp src-address=!10.0.0.31 \
    to-addresses=10.0.0.31
add action=dst-nat chain=dstnat comment=piholeNAT2 dst-address=!10.0.0.31 \
    dst-port=53 in-interface=bridge protocol=tcp src-address=!10.0.0.31 \
    to-addresses=10.0.0.31
add action=masquerade chain=srcnat comment=piholeNAT3 dst-address=10.0.0.31 \
    dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=piholeNAT4 dst-address=10.0.0.31 \
    dst-port=53 protocol=tcp src-address=10.0.0.0/24
/ip kid-control device
add mac-address=00:00:10:01:49:4A name="RpiZEthernet;4"
add mac-address=DC:A6:32:BA:2D:3E name="homeassistant;4"
add mac-address=02:0F:B5:01:AE:2C name="Telldus-TellStick-ZNet-Lite-v2;4"
add mac-address=28:80:88:29:17:2D name="MR60;-2"
add mac-address=A8:BB:50:D5:44:CA name="wiz_d544ca;6"
add mac-address=A8:BB:50:D5:3A:D4 name="wiz_d53ad4;6"
add mac-address=A8:BB:50:D5:38:10 name="wiz_d53810;6"
add mac-address=A8:BB:50:D5:3A:0E name="wiz_d53a0e;6"
add mac-address=6C:29:90:51:82:42 name="wiz_518242;6"
add mac-address=02:0F:B5:25:E4:EF name="WN3000RPv3;5"
add mac-address=FE:62:4E:F8:82:D6 name="OnePlus-Nord-N100;2"
add mac-address=38:FB:14:9B:C9:0E name="HUAWEI_Y5_2019-998742728e;2"
add mac-address=34:79:16:AC:A4:26 name="HUAWEI_P30-7b1c4007e5df17;2"
add mac-address=60:D9:A0:E9:FA:5A name="android-2d3eb2e5c2b44bfa;2"
add mac-address=8E:74:4C:E9:64:FB name="OnePlus-Nord-N1002;2"
add mac-address=E2:40:26:0E:25:CD name="Pixel-4a;2"
add mac-address=8C:85:80:77:42:75 name="Homebase eufycam;4"
add mac-address=8C:85:80:62:22:20 name="Eufycam barnrummet;8"
add mac-address=7C:2E:BD:F4:02:23 name="Chromecast;3"
add mac-address=48:6D:BB:D7:97:1B name="ANDERSSON-TV;3"
add mac-address=00:04:4B:EF:F7:04 name="Nvidia Shield Tv;3"
add mac-address=10:0C:6B:4A:4A:74 name="MS60;-2"
add mac-address=D0:F8:8C:21:F1:04 name="android-11e665960771a264;2"
add mac-address=5C:80:B6:F7:9A:2C name="LAPTOP-3OG50167;1"
/system clock
set time-zone-name=Europe/Stockholm
/system package update
set channel=development
/system scheduler
add interval=1m name=PingCheckPiDNS on-event=":local piholeDNS \"10.0.0.31\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n\r\
    \n:if ([/ip firewall nat [find comment=\"piholeNAT1\"] enabled]) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT1\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT2\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT3\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT4\"]\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT1\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT2\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT3\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT4\"]\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2021 start-time=18:56:53
/system script
add dont-require-permissions=no name=script1 owner=andi policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    test
add dont-require-permissions=no name=leasescript001 owner=andi policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  :local ttl\r\
    \n  :local domain\r\
    \n  :local hostname\r\
    \n  :local fqdn\r\
    \n  :local leaseId\r\
    \n  :local comment\r\
    \n\r\
    \n  /ip dhcp-server\r\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network \r\
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  \r\
    \n  .. lease\r\
    \n  :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\r\
    \n\r\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\r\
    \n  {\r\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\r\
    \n   :error \"multiple active leases for \$leaseActIP\"\r\
    \n  }  \r\
    \n\r\
    \n  :set hostname [ get \$leaseId host-name ]\r\
    \n  :set comment [ get \$leaseId comment ]\r\
    \n  /\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\r\
    \n    :error \"empty lease host-name or comment\"\r\
    \n  }\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\r\
    \n    :error \"empty network domain name\"\r\
    \n  }\r\
    \n\r\
    \n  :set fqdn \"\$hostname.\$domain\"\r\
    \n  \r\
    \n  /ip dns static\r\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\r\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\r\
    \n  } else=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \r\
    \n  }\r\
    \n  /\r\
    \n} \\\r\
    \nelse=\\\r\
    \n{\r\
    \n  /ip dns static\r\
    \n  :local dnsDhcpId \r\
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n\r\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\r\
    \n    remove \$dnsDhcpId\r\
    \n  }\r\
    \n  /\r\
    \n}"
/system watchdog
set auto-send-supout=yes send-email-from=¤¤¤¤\
    send-email-to=¤¤¤¤¤m send-smtp-server=smtp.gmail.com \
    watch-address=10.0.0.31 watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Good plan, firewall rules will help you open up some devices/users across vlans when required.
Be aware that some services BONJOUR and SONOS will not necessarily work outside of the VLAN regardless.

Your best bet is to read this excellent reference and give a config a try based on your plan.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Then come back and post your results for further assistance.
/export hide-sensitive file=anynameyouwish
(just to safe ensure the config contains no WANIPs or WAN gateway info).

The config will entail using a single bridge and vlans for ALL subnets.
Sometimes its easier to do the config OUTSIDE of the main LAN/subnet and off the bridge you are creating.
If interested take the least used port on your MT.
a. lets say port 5 and give it a name: ether5-access
b. ensure its not on a bridge
c. give it an IP of 192.168.5.2 network 192.168.5.0
d. ensure ether5-access is an interface list member of the LAN

Then you should be able to access the Router via winbox using your computer/laptop plugged into ether5 by using on the pc/laptop an IPV4 address of lets say 192.168.5.5 gateway 192.168.5.1 mask 255.255.255.0. This should give you the best experience while attempting the config. Obviously best to do while all else is sleeping LOL.

Also pre-empting a little bit but you will want to change the forward chain firewall rules to get ready for vlans…
REMOVE THIS RULE
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

AND REPLACE WITH THREE RULES
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet traffic”
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=“drop all else”

The new LAST rule in the forward chain DROPs all traffic, unless before this rule you state what is allowed.
This is powerful and stops WAN to LAN, LAN to LAN and LAN to WAN routing (L3).
Its efficient because now all your VLANS will be blocked from each other at L3.
Its probably clear now why we had to add in the xtra rule of allowing your vlans to reach the internet.

We took the one rule above which did two things (in one rule) it stopped all WAN to LAN traffic, and it also allowed WAN to LAN traffic but only for port forwarding purposes.
What we did above is do a more complete job of security by stopping all traffic at the end but before this allow port forwarding and internet traffic.

Where the ++++++++++++++++ is located is where you should add any nuanced rules to allow for any other traffic flow, the admin requires, for example.
a shared printer between vlans or anything else.
Rule of THUMB,
a. if you have 2 or more INTERFACES (in this case vlan subnet) involved in firewall rule, create a new interface list and add them as members.
b. if you have some IP addresses from the same subnet, or across subnets, then use firewall address list to identify them for firewall rule purposes.
c. In other words any grouping that includes individual IPs is best accomplished via firewall address list (IPs, IPs + IPs, IPs + subnets)

I greatly appreciate the help.
My “issue” right here is that I’m lost at first base;
What type is my hardware setup?

Is it Router-Switch-AP (all in one)
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Or is it access point only?
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I for one guess that its the first, Router-Switch-AP (all in one)

Neither!

The hex is only a router but YES, use the router with separate switch and simply look at the ROUTER CONFIG by itself.
IF the answer to the first question is YES below, then you can get ideas on setup for that even though it may not be an MT device ( I use several brands so can assist).

Two questions!
First, is the a smart switch that can read vlans or a dumb switch that cannot.
Second is the AP able to read vlans or not able too (typically one needs vlans to assign more than one WLAN).

Okay I see the MR60 is a wifi router, not an access point.
It can be run in AP mode but you lose its ability to use the vlan but the vlan it has is not for the LAN but to bridge between the internet and and lets say an IPTV device from the provider.
In other words, neither mode is capable of multi vlans for your lan network.
So the best you can hope for is AP mode at this point and thus are unable to separate devices wirelessly into different vlans or isolate them from each other.

You would be better off with a proper access point that can be managed IF THATS WHAT YOU WANT.
Typically I recommend a TPLINk eap245, TPLInk 620 or 660HD depending upon ones budget.
I see a grandstream gwn7660 being sold for $94 (similar to TP 620 in features/capabilities).

Anav, thanks!!
This is extremely helpful!
I found the TP-Link EAP245 v3 for around 85 euros, thats ok for me at the moment.
How do you feel about the MikroTik cAP ac RBcAPGi-5acD2nD? Its approx. 65 euros.

or a Audience Mesh Access Point?

hi there,
I have both, and prefer the TPLINK over the capac, it works, its stable and I get decent wifi5 speeds and its affordable.
The audience is better than both but has its downsides at the moment and dont have any personal experience.
Search the forums for audience in the threads… gotsprings is one user that has one and is useful to read his posts.