Network diagram is needed indeed.
The simplest network topology with one subnet per building and one building per RB4011 ethernet port does not require smart switches and VLANs, some reconfiguration of RB4011 will do. However if you want to segment networks in the buildings (or have flexible configuration, some subnet spanning more than one building), then indeed the simplest way is to use VLANs (and smart switches in the buildings).
When providing network diagram, you can provide current RB4011 configuration as well: run /export hide-sensitive file=anynameyouwish, fetch the resulting file, open it with text editor, mask off any public IP addresses there might be visible, and copy-paste it to [code] [/code] environment (the square brackets icon above post editor window). This way you'll get a quality suggestion on how to change config.
# mar/03/2021 11:39:07 by RouterOS 6.47.9
# software id = V50M-CHT9
#
# model = RB4011iGS+
# serial number = D4480Dxxxxxxx
/interface bridge
add admin-mac=08:55:31:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
speed=10Gbps
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x010459A0597E
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.1.239
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.254/23 comment=defconf interface=ether1 network=\
192.168.0.0
add address=wanip/30 interface=sfp-sfpplus1 network=wanip
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dhcp-option=unifi dns-server=\
192.168.1.254,8.8.8.8 gateway=192.168.1.254 netmask=23
/ip dns
set allow-remote-requests=yes servers=wan.wan
/ip dns static
add address=192.168.1.254 comment=defconf name=router.lan
/ip firewall address-list
add address=wan list=admin
add address=192.168.1.239 list=internet
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=3478 protocol=udp to-addresses=wan to-ports=3478
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5514 protocol=udp to-addresses=192.168.1.254 to-ports=5514
add action=dst-nat chain=dstnat connection-type="" disabled=yes dst-address=\
89.160.89.126 dst-port=8080 protocol=tcp to-addresses=192.168.1.254 \
to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8443 protocol=tcp to-addresses=192.168.1.254 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8880 protocol=tcp to-addresses=192.168.1.254 to-ports=8880
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8843 protocol=tcp to-addresses=192.168.1.254 to-ports=8843
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=6789 protocol=tcp to-addresses=192.168.1.254 to-ports=6789
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5656-5699 protocol=udp to-addresses=192.168.1.254 to-ports=\
5656-5699
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=27117 protocol=tcp to-addresses=192.168.1.254 to-ports=27117
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=1001 protocol=udp to-addresses=192.168.1.254 to-ports=1001
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=1900 protocol=udp to-addresses=192.168.1.254 to-ports=1900
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=443 protocol=tcp to-addresses=192.168.1.254 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5222 protocol=tcp to-addresses=192.168.1.254 to-ports=5222
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5223 protocol=tcp to-addresses=192.168.1.254 to-ports=5223
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5269 protocol=tcp to-addresses=192.168.1.254 to-ports=5269
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5280 protocol=tcp to-addresses=192.168.1.254 to-ports=5280
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5281 protocol=tcp to-addresses=192.168.1.254 to-ports=5281
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5298 protocol=tcp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5298 protocol=udp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=3478 protocol=tcp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=19302 protocol=udp to-addresses=192.168.1.254 to-ports=19302
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=19305 protocol=udp to-addresses=192.168.1.254 to-ports=19305
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=10001 protocol=udp to-addresses=192.168.1.254 to-ports=10001
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=80 protocol=tcp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=80 protocol=udp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=22 protocol=udp to-addresses=192.168.1.254 to-ports=22
/ip route
add distance=1 gateway=wan
/ip service
set www-ssl certificate=root-cert disabled=no
/system clock
set time-zone-name=Europe/
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN