Good plan, firewall rules will help you open up some devices/users across vlans when required.
Be aware that some services BONJOUR and SONOS will not necessarily work outside of the VLAN regardless.
Your best bet is to read this excellent reference and give a config a try based on your plan.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Then come back and post your results for further assistance.
/export hide-sensitive file=anynameyouwish
(just to safe ensure the config contains no WANIPs or WAN gateway info).
The config will entail using a single bridge and vlans for ALL subnets.
Sometimes its easier to do the config OUTSIDE of the main LAN/subnet and off the bridge you are creating.
If interested take the least used port on your MT.
a. lets say port 5 and give it a name: ether5-access
b. ensure its not on a bridge
c. give it an IP of 192.168.5.2 network 192.168.5.0
d. ensure ether5-access is an interface list member of the LAN
Then you should be able to access the Router via winbox using your computer/laptop plugged into ether5 by using on the pc/laptop an IPV4 address of lets say 192.168.5.5 gateway 192.168.5.1 mask 255.255.255.0. This should give you the best experience while attempting the config. Obviously best to do while all else is sleeping LOL.
Also pre-empting a little bit but you will want to change the forward chain firewall rules to get ready for vlans…
REMOVE THIS RULE
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
AND REPLACE WITH THREE RULES
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet traffic”
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=“drop all else”
The new LAST rule in the forward chain DROPs all traffic, unless before this rule you state what is allowed.
This is powerful and stops WAN to LAN, LAN to LAN and LAN to WAN routing (L3).
Its efficient because now all your VLANS will be blocked from each other at L3.
Its probably clear now why we had to add in the xtra rule of allowing your vlans to reach the internet.
We took the one rule above which did two things (in one rule) it stopped all WAN to LAN traffic, and it also allowed WAN to LAN traffic but only for port forwarding purposes.
What we did above is do a more complete job of security by stopping all traffic at the end but before this allow port forwarding and internet traffic.
Where the ++++++++++++++++ is located is where you should add any nuanced rules to allow for any other traffic flow, the admin requires, for example.
a shared printer between vlans or anything else.
Rule of THUMB,
a. if you have 2 or more INTERFACES (in this case vlan subnet) involved in firewall rule, create a new interface list and add them as members.
b. if you have some IP addresses from the same subnet, or across subnets, then use firewall address list to identify them for firewall rule purposes.
c. In other words any grouping that includes individual IPs is best accomplished via firewall address list (IPs, IPs + IPs, IPs + subnets)