Doing all of this on a new to you platform is going to involve a steep learning curve. That's great if you have the time. If you know how to do all of this with something else, you may want to go that direction, even if it costs more. If you have to learn how to do this for any platform you might use, the MikroTik gear is probably close to the most cost effective platform to learn on.
I hope you have access to a good cordless drill and sharp bits...
I've just (today) ordered an RB3011UiAS-RM to be the gateway to the new system.
- For Wi-fi, I want to have [at least] four separate networks: A guest network (secured, but with a simple password) with filtered access and time limits (no one should be accessing the guest network at a church after midnight!) which cannot reach the church computers or server; a regular network for teachers and staff and such which can access media and church data; a hidden admin network; and an IoT network with a strong password for smart thermostats and the like.
RouterOS can handle all the VLANs you want. It can also isolate the VLANs however you need. RouterOS can have a lot SSIDs in different VLANs on each physical AP. You can hide the SSIDs on any vAPs you want. With CAPSMan you can even avoid having to build the Virtual APs on each AP. cAPs, hAPs, and wAPs are all useful as APs. WIth the AC models, you can have 5GHz and 2.4 GHz which helps share the load in dense environments. I'm not sure how heavily you expect your people to be using devices during services. There seem to be a lot of ways they are being integrated into the services these days.
Filtering and time limits are easier with the multiple VLANs. You're headed in the right direction there.
When installing several APs in a dense area, you want to hide the APs from one another as much as possible. That usually means using bags of water, human bodies, to block/absorb the signals from other APs. That sometimes means you want to mount the APs under
the pews. You definitely do not want them in the rafters.
- I want to put the surveillance cameras (physical wired PoE) on their own VLAN which can only access specific, restricted ports on the NAS and which CANNOT "phone home" to China.
Easy firewall rules, possible only 2 rules. Allow what you want and deny anything else.
- I want to set up a VPN with certificate access only (I don't trust passwords) which is to be the only way that anyone (including myself) can access administrative functions while outside the physical LAN.
Probably at least two options:
OpenVPN can probably use certs also. OpenVPN support seems not to be a priority in RouterOS.
- Our Internet service, at first, is going to be bare-bones basic business class...which I'm funding out of my own pocket; we currently have neither Internet or telephone. I'll need to prioritize the VoIP addresses accordingly. Also, I want to restrict excessive usage, especially from the guest network.
Bare bones business class is probably all you need. With the IP cloud dynamic DNS feature of RouterOS, a static IP is less necessary these days. If you can do without a static IP it may save some monthly money. You can easily point a CNAME from your own domain, if you have one, at the ip cloud hostname.
VoIP in a VLAN/subnet of its own. Use Queues, probably just the simple queues will be sufficient.
Use the queues for fair share of remaining resources on the guest network also with the PCQ up and down queue types.
- I also want to filter inappropriate websites and content...this is a church, after all!
This is more interesting, aka hard to do yourself. I'd probably just use some DNS servers which try to do that for you. There are several which are free to use for non-profits and home users. OpenDNS, Norton ConnectSafe, McAfee, SafeDNS, Untangle, and Dyn for a quick survey. Just set them up under IP DNS. You may want to also have firewall rules which redirect tcp/udp dst 53 to your MikroTik's cacheing DNS server.
- Finally, I want to restrict the physical LAN so that someone cannot just, for example, sneak into an unused classroom and plug in and access sensitive data. We should have a set list of authorized computers.
There are probably a few ways to deal with this. I might authorize users rather than devices. MAC cloning might be less useful that way. Your data is going to require strong credentials to access and not be transferred in the clear anyway, right? Right? I thought so. The LAN in your environment is as hostile as the open Internet. You'll have devices moving in and out of your network and won't know what they've caught on someone else's network. BYOD brings the sewer inside...
I don't think RouterOS supports 802.1x for wired devices. You might want switches which do support it. It depends on your level of paranoia.
Maybe use static ARP entries. Have DHCP add ARP entries. Set your interfaces' ARP setting to "reply-only" instead of "enabled". Static ARP entries are going to be a hassle long term. It might be less hassle to use static DHCP leases for anything that needs a static IP. At least you only have to make the change in one place when a device is replaced.
Finally, all this stuff at present exists only in the back of my own mind. I've ordered the server rack and some of the hardware (and will order more once the next paycheck comes in), but I haven't started running wiring or anything yet. My assets include about 300' of Cat 5e interior cable and a new, unbroken 1000' box of Cat 6 exterior-grade; I also have the tools and cable tester and am comfortable running the physical wiring. But if anyone can make any suggestions at this stage which will make the job easier or leave possibilities open for future expansion, I'd like to hear them now.
If you can leave things in the wall, conduit, pull-strings, whatever, so that you can run fiber at some point in the future, it might be helpful. That could be as expensive as putting the fiber in now. It is possible to order pre-built fiber cables of the right length (add a healthy fudge factor).
You may be able to use some creativity to future proof the physical aspects if you take the time to think about them before you start.
Cat5e gets expensive when it's coming out a volunteer pockets, but I always regret not running at least two runs to each location, I really like four cables in a lot of places. You can easily end up with a desk phone, a computer, and a printer/scanner in the same place. Or two workstations/phones and a printer where you thought you would only ever have a phone and a computer. In a one person office, I once ended up using 8 strands of Cat5. But that was an IT focused office with test gear. If you hook them all into a patch panel, you have the most flexible voice/ethernet setup and can keep switching networks physically separate if that becomes useful. Just short patch cable moves when personnel make the inevitable room swaps. Dropping 5 port switches all over the building leads to madness in a couple of years.
I'd keep all the infrastructure wired as much as possible. The RF environment may end up a bit busy. Wired is more predictable and much faster once you have 3 users moving large files to and from a server.
When you get stuck, read the wiki. If you're still stuck, come back and ask specific questions. There are a lot of helpful people in here.