Where I'd like to get to:
- Data subnet, /24, for trusted devices...some wired, some Wi-fi...which should be able to access everything on the internal network plus access to Internet.
- Guest subnet, /25, for guest WI-fi access through a Unifi portal. Should only have access to the Internet...filtered access, at that (we use SafeDNS).
- IoT subnet, /25, for smart thermostats and similar devices, on a separate WI-fi SSID. Should only have access to the Internet.
- VoIP subnet, /26, for wired PoE IP phones. Needs access to Internet. Interesting complication, some computers are plugged into IP phones and should have access to the data subnet. Is there a way to allow the same switch port to access two separate VLANs?
- Camera subnet, /26, for wired PoE surveillance cameras. Needs to communicate with the surveillance controller which is on the data network but should not have direct access to or from the WAN.
That's all do-able. I'd suggest sticking with /24s and matching one of the octets in the private IP with the VLAN ID - it makes it obvious which VLAN an address is associated with, e.g. 192.168.11.0/24 and VLAN11, 192.168.12.0/24 and VLAN12, etc.
As you are only intending using one LAN port you could attach VLAN interfaces directly to ether2, but I would suggest using a VLAN-aware bridge so you can add additional LAN ports in future without major upheaval.
The internet-only subnets can be implemented with a firewall filter rule allowing forwarded traffic in from the VLAN interface and corresponding source IP address range out of the WAN port (or out of the WAN interface list), followed by one dropping all forwarded traffic in from the VLAN interface. Similarly for the cameras, instead of an 'allow to internet' rule you can have one to allow forwarded traffic in from the camera VLAN interface and corresponding source IP address range out of the data VLAN interface to the specific address of the controller and ports (you would need separate rules if you wish to allow a rand of TCP plus a range of UDP ports).
I usually specify the Mikrotik as the DNS server and NTP server in the dhcp-server network
declarations, e.g add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 ntp-server=192.168.11.1
and you can use firewall nat redirect rules to force any DNS (requires separate rules for UDP and TCP), and NTP if desired, requests with a destination which is different to the Mikrotik.
That is fine if the Mikrotik is set to use the SafeDNS service for its own lookups, otherwise you can specify the SafeDNS servers in the DHCP server configuration which require it and use firewall nat src-nat rules instead of redirect.
Many VoIP phones with two ethernet ports allow separate VLANs to be configured for a locally-attached PC and the voice traffic. This can be done by manually configuring the phones to tag the voice traffic and configure the switch to match, or as your switch appears to support LLDP-MED it may be possible to automate this if the phones do too.
You haven't mentioned what WiFi system you are using, but as long as you can create multiple SSIDs and associate them with tagged VLANs they are just a counduit for the traffic from the client device to the Mikrotik.