Okay So with that in mind, I will assume ether6 on the router is an available port that is not actuallly hooked up to your PC all the time and that regularly you manage the network from a PC on vlan10.
Will post the config shortly. The firewall rules need work, for example you made a specific rule for admin access to the router but in another rule (default rule) allow everyone on the LAN access to the router. Once you start configuring one has to adjust the default rules as required.
Assuming 4 and 5 are PCs attached to the ROUTER on vlan10.
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-RUCKUS
set [ find default-name=ether3 ] name=ether3-SWITCH
set [ find default-name=ether3 ] name=ether4-general_use
set [ find default-name=ether3 ] name=ether5-my_pc
set [ find default-name=ether6 ] name=ether6-EMERG
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=dhcp_LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_IOT ranges=172.16.1.20-172.16.1.100
add name=dhcp-emerg ranges=10.10.0.2-10.10.0.5
/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=vlan10 name=dhcp-LAN
add address-pool=dhcp_IOT disabled=no interface=vlan20 name=dhcp-IOT
add address-pool=dhcp_emerg disabled=no interface=ethernet6-EMERG name=emer-server
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=172.16.1.0/24 dns-server=172.16.1.1 gateway=172.16.1.1
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2-RUCKUS
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-SWITCH
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4-general_use pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5-my_pc pvid=10
/ip firewall connection tracking
set tcp-established-timeout=5h
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH untagged=ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20
{It is also correct not to enter the untagged vlans as the router will automatically insert them however I like to manually do them as a visual crosscheck when making the config and later whenever checking the config}
{add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH vlan-ids=10 - also legit }
{add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20 }
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge1 list=LAN
add interface=ether6-EMERG list=LAN
add interface=ether6-EMERG list=MGMT
add interface=vlan10 list=MGMT
/ip address
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
add address=172.16.1.1/24 interface=vlan20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1-WAN network=192.168.1.0
add address=10.10.0.1/24 interface=ether6-EMERG network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8
/ip firewall address-list
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed {okay this makes sense, its not covered by an interface and is specific, however I didn't see when you use it?? }
add address=IP of Admin Desktop (on vlan10) list=AdminAccess
add address=IP of Admin Laptop (on vlan10) list=AdminAccess
add address=IP of Admin Smartphone (on vlan10) list=AdminAccess
add address=IP of Admin Desktop/laptop (on ethernet-6_EMERG) list=AdminAccess
/ip firewall filter
{NEEDS WORK!}
{input chain}
add action=accept chain=input connection-state=\
established,related,untracked
add action=drop chain=input connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow admin access" in-interface-list=MGMT source-address-list=AdminAccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN Traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \ {disable if not using}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="MGMT access to all subnets" \
in-interface-list=MGMT out-interface-list=LAN source-address-list=AdminAccess
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" src-address=192.168.89.0/24
....
As for the switch pretty simple. You will note two options for bridge vlan filtering as the bridge will automatically create the untagged ports when required.
I prefer to manually insert them as a cross check when doing my config and later when checking my config.
/interface bridge port
add bridge=bridgeSW frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24-router
add bridge=bridgeSW frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=10
{repeat for all other bridge ports}
/interface bridge vlan
add bridge=bridgeSW tagged=bridgeSW,ether24-router vlan-ids=10 {if prefer the automated constructiond}
OR ...........
add bridge=bridgeSW tagged=bridgeSW,ether24-router untagged=eth1,eth2,eth2....ethR vlan-ids=20