There should be a setting for this in the router (and Mikrotik switches too) to avoid routing between other interfaces and the management VLAN interface.
There is such setting:
/ip firewall filter add action=drop chain=forward place-before=0 out-interface=vlan-mgmt
Obviously, replace the vlan-mgmt with correct name for your management VLAN. This will work in any firewall, but it will also prevent your management VLAN talking to the internet. Ideally, move it just beneath your "accept established/related" rule.
On the other hand, I can't fully blame you because this is caused by faulty default/factory config included in current (v6.47.2) RouterOS version. Let me explain:.
Default config currently contains following "forward" rules:
/ip firewall {
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
(i removed the "input" chain, because it is irrelevant in this context, however, it suffers from the same issue)
With a brief look at it, it seems fine - Accepts data from/to ipsec tunnels, accepts/fasttracks established connections, drops invalid and drops new from wan which are not DST-NATted.
As long as you don't touch your settings, it will be fine. But adding any other interface means, that it will be open to forwarding from anywhere except WAN = not secure by default.
Currently, people have to make an effort to secure their router, which is implicitly insecure.
This approach is something, what I personally strongly disagree and I believe that every interface should be by default secured. Everyone who adds interface can also add FW rule to open it as required.
Correctly, an effort should be required to unsecure the router, which is implicitly secured.
I understand it is impossible to change logic of the whole firewall and that's fine (i.e. if there is no rule at all, traffic will flow), but a small change in default rules would have huge impact on security. My idea is following:
/ip firewall {
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
filter add chain=forward action=accept connection-nat-state=dstnat comment="accept all DSTNATed"
filter add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="accept LAN to WAN"
filter add chain=forward action=drop comment="drop everything else"
}
With this approach, you are explicitly ending your set of rules using "drop everything else". That means you have to whitelist (allow/accept) every single separate type of traffic you want to allow.
If you had this FW as default and you created the Management VLAN, it would be by default secure.
I admit that splitting the last rule in three separate rules may consume more CPU, but the difference will be negligible. On the other hand, security of this approach is much higher than original defconf. I am confident that the trade-off is worth it.