Very easy to do with or without vlans.
This is the best reference for vlans.....
viewtopic.php?f=23&t=143620
The answer to your question is basically the port structure.
If you will not need any of your ports for anything but one subnet, then vlans are not required.
However if you wish to have the flexibility of multiple subnets over a single port, vlans make sense.
Keep in mind that the other end of the port (the next device has to be able to read vlans aka a smart switch, to pass along the subnets.
In your case you are already struggling with setup due to limited ports and perhaps a smart switch is in your future.
In any case,
you could assign FOUR different subnets
a . management or emerg access
b. subnet A eth3
c. subnet B eth4
d. subnet C eth5
Simply add to the end of the default firewall rules a single rule, and all the subnets will be blocked from each other.
add chain=forward action=drop
Prior to this last rule in the forward chain you state the following to allow users in each subnet to access a shared device. With two devices it would be four rules........
subnet A is allowed access to device1 in subnet C
subnet A is allowed access to device2 in subnet C
subnet B is allowed access to device1 in subnet C
subnet B is allowed access to device2 in subnet C
Since you have two devices you make a firewall address list call it printers or whatever device it is
Add both devices to this list and then you only need to make the two firewall rules above with destination address list.
add chain=forward action=accept in-interface=ether3 out-interface=eth5 dst-address-list=printers
add chain=forward action=accept in-interface=ether4 out-interface=eth5 dst-address-list=printers
Further you can reduce this to one SiNGLE firewall rule using interface members.
/interface list members
ether1=WAN
ether2=LAN
ether3=LAN
ether4=LAN
ether5=LAN
add chain=forward action=accept in-interface-list=LAN out-interface=ether5 dst-address-list=printers
To illustrate the use of interface member lists imagine that
You may not want to have eth5 to get internet access.
So you have
ether1=WAN
ether2=LAN
ether3=LAN
ether4=LAN
ether5=LAN
eth2=internet
eth3=internet
eth4=internet
So before the drop all rule you will need to state
add chain=forward action=accept in-interface-list=internet out-interface-list=WAN
You could also refine the devices rule to
add chain=forward action=accept in-interface-list=internet out-interface-list=eth5 dst-address-list=printers