Having mixed or separate trusted users and device management networks is a matter of choice, risk profile, etc.
Using VLAN 1 is not wrong, you just have to be aware of how it is handled by different vendors - it is often reserved for any untagged traffic / not permited for tagged.
Mikrotik use VLAN ID 1 as the default PVID, and being the default it does not appear in /export. One major confusion is that a Mikrotik bridge is essentialy an embedded switch, in addition to any ports you add there is an intrinsic bridge-to-CPU port - see http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1 A common mistake is to add an /interface vlan for VLAN 1 without either changing the /interface bridge PVID, or configuring the bridge-to-CPU port as tagged-only instead of hybrid.
If you wish to replicate your Asus setup without reconfiguring everything else:
start with the factory default Mikrotik configuration,
change the LAN IP address, DHCP server & IP pool range to match your original VLAN 1 settings and enable vlan filtering on the bridge,
change the WAN settings if you require a PPPoE client and/or VLAN,
add a VLAN 20 interface, IP address, DHCP server & IP pool, plus bridge VLAN tagged membership of the bridge, ether2 & ether4 for VLAN 20,
add/modify firewall rules as required.