When i want to make another network, let's say subnet B/24 for guest wifi, or whatever, i just add firewall raw rules to drop traffic between A/24 -> B/24 and vice versa.

But i would now have to have 8 or 9 different subnets, all isolated from each other (1 fiber connection, lots of clients). Is there a way to do this with as few firewall rules as posseble?
I was thinking to put all the subnets in the address list, but then i would block communication within subnet.
So 9 different address lists, each one without one of the subnets?
Would would be performance issues with 9 entries?
I was thinking 9 core CCR or the new 4011 for the job. (heavy queues, 200 users)

Are there best practices for this scenario?

Thx

It is better to use an interface list instead of an address list in this case.
You make an interface list with all your internal interfaces (or you use the existing list LAN for this).
Then you add a drop rule for forward from members of this list to members of this list.
Then all inter-subnet routing is forbidden, but routing to internet is still allowed for all of them.

I guess you could get work done with single address list, containing all 8 or 9 subnets and forbid any connectivity between members of the list. Indeed this would also prevent communication within same subnet, so you would have to make sure that any communication inside subnet would happen on L2 so that it doesn't pass firewall rules. Which is what you want to do anyway not to create a bottleneck inside subnet. Which means that interfaces carrying same subnet would have to be member of same bridge. Which should also work for non-ethernet (i.e. wlan) interfaces.
This might become a problem due to the fact that only one bridge can have HW offload on its interfaces (on vast majority of routerboards) and to keep intra-subnet wirespeed without CPU load running sky high, you might need to pull some tricks (such as using VLANs if the rb features decent switch chip). But this is becoming yet another story.

Thank You for your answers.

I was thinking the same thing, just one SFP+ connection to L2 switch, and do it with VLANs, so clients would not connect trough router itself. And i guess that would work.
But i also need road warrior L2TP/IPsec on the router itself, and then i would not be able to see any other device on the same subnet, at least while connected with VPN.

Again, thx a lot.

You could have a rule explicitly allowing traffic between VPN interface and all LAN subnets ... if placed above rule forbiding inter-LAN connections this might work. I'm just not sure if firewall is aware of interface after packets get through all IPsec policies.

I was thinking the same thing, just one SFP+ connection to L2 switch, and do it with VLANs, so clients would not connect trough router itself. And i guess that would work.
But i also need road warrior L2TP/IPsec on the router itself, and then i would not be able to see any other device on the same subnet, at least while connected with VPN.

When you make the interface list and forward rule as I described it will not be an issue.