Indeed VLAN is Virtual LAN ... imagine you want to have two separate LANs (perhaps some routing between them, but that's next step). If limited to use real hardware and dumb ethernet switches, you'd run two ethernet cables in parallel on certain connection paths (e.g. between different distribution switches or between routers and switches). Using VLANs enables you to use one physical interface/connection (i.e. port on switch and/or UTP cable) but still have separation between the two LANs.
Let's say you need two separated LANs. If I was you, I'd start with configuring two VLANs on your managed switch with, for example, VLAN IDs (VIDs) 10 and 20. Then you dedicate some ports on the switch to each logical LAN by configuring them to be untagged/access ports for a given VLAN, for example ports 5-14 are configured with VID=10 and ports 15-24 with VID=20. At this point the both VLANs are separated and a device, connected to switch port 10 can not communicate with device, connected to switch port 20.
Then you configure switch port number 1 as tagged/trunk port and configure it to be member of both VLANs. This port will be used to connect switch with RB.
Next step is to configure RB. you first need to configure at least one port on LAN side of RB (e.g. port ether5) to be trunked port with same two VIDs (note that at least on my device, ethernet switch ports are enumerated starting with 0 being ether1):
/interface ethernet switch port
set 4 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether5 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether5 switch=switch1 vlan-id=20
Be sure you include pseudo-port named switch1-cpu to any VLAN port list where you need to pass packets to router's CPU - and that's needed there's need for routing for a given VLAN.
Default configuration is to have all LAN ethernet ports on RB (mostly that's ether2-ether5) members of single bridge. My experience is that you don't need to reconfigure bridge for use with VLANs, however you might want to configure the rest of LAN ports to be untagged/access ports for one of VLANs, for example:
/interface ethernet switch port
# ether3 below becomes access port of VLAN ID=10
set 2 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
# ether4 below becomes access port of VLAN ID=20
set 3 default-vlan-id=20 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether3,ether5 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether4,ether5 switch=switch1 vlan-id=20
In this case you can connect some device to one of those RB ports and have it become member of a given VLAN in the same way as if it was connected to appropriate port on switch.
Then you need to add a special network interface so that router can deal directly with packets in VLANs:
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
add interface=bridge name=vlan-20 vlan-id=20
/ip address
add address="router's address in VLAN 10 goes here"/24 interface=vlan-10 network="network address of VLAN 10 goes here"
add address="router's address in VLAN 20 goes here"/24 interface=vlan-20 network="network address of VLAN 20 goes here"
At this point every device in VLAN ID=10 can communicate with any device in VLAN ID=20. However, you need to set-up the usual IP routing details on devices (such as making your RB default router for those devices). If complete openness for communication between the two sub networks is not desired, you would define some /ip firewall filter to limit cross-connectivity only to allowed cases.
If you have to connect some device, which is capable of dealing with VLANs and it needs to be connected to more than one VLAN at the same time, that's possible as well. One example of such a device would be a Linux server which serves more than one VLAN. In this case you need to configure appropriate ethernet port on switch or RB to be mixed port - such port accepts either VLAN tagged packets and untagged as well, making it hybrid metween trunk port (dealing with tagged packets) and access port (the untagged ports). The configuration of such a port is similar to this:
/interface ethernet switch port
set 2 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether3 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether3 switch=switch1 vlan-id=20
The difference between this setup and similar section higher in this post is that the same port, which has one default-vlan-id setting, is listed as member of more than one VLAN. Meaning that for the VLAN, set as default, this port is acess (untagged) and for the rest it's trunk (tagged) port.
On the device then you set up additional IP address for each tagged VLAN, on Linux is quite simple:
ifconfig eth1.20 "device's address on VLAN 20 goes here" netmask 255.255.255.0 up
It's exactly the same as configuring normal ethernet interface, the only difference is in the name of interface, where you append VLAN ID after device name with a dot in between (in teh case above that's ".20" for VLAN ID 20).
The benefit of such device configuration is that all the traffic between devices in the "secondary" VLAN and the server only traverse switches, which is mostly done wire-speed. Without it, the traffic would pass router CPU which is mostly quite a bit slower. On the other hand, passing through router gives you possibility for some filtering. E.g. you could only allow connections from certain devices or even to some certain services (such as http), which can not be done with VLAN-based configuration.