I have a working network configured as in the attached diagram. The "Main" VLAN on the "Border" router is set to subnet 10.1.10.0/24:
and the management IP addresses as follows:
In order to better isolate the Main Vlan from the Guest VLAN, I tried to change the management IP addresses as follows:
but that change caused the PC connected to the Main VLAN on the Floor-1 router to lose internet connectivity.

I don't understand why. The ipconfig on the affected PC looks OK. What else might need to be changed? Any advice on troubleshooting? Thanks.

On further thought, I don't understand what /ip address add does, and I'm having trouble finding documentation.
...

OK, I think my misunderstanding is that defines the management IP address when actually management access is controlled by the firewall input chain filters. I'll try that instead.

You mention GUEST VLAN but you don't show any config where it is being used/defined ?
It's not at all clear where you set that mgmt address, on which device ? Why 2 ?

Similar on your network diagram, nowhere is indicated what network address which device has ?

So very confusing to say the least ...

You mention GUEST VLAN but you don't show any config where it is being used/defined ?
It's not at all clear where you set that mgmt address, on which device ? Why 2 ?

Similar on your network diagram, nowhere is indicated what network address which device has ?

So very confusing to say the least ...

Yes, I was very confused. I was trying to isolate GUEST VLAN from the management interface, and now realize that changing the management IP address isn't the way to do that. Instead, I replaced this firewall rule:
with:
and changed dns-server on the GUEST_VLAN DHCP server from:
to:
This is working. Devices on GUEST_VLAN can no longer access the routers on 10.1.10.1 and 10.1.10.2 but do have WAN access.

However, devices on GUEST_VLAN can still access the management interface of the WiFi AP on the GUEST-VLAN with IP 10.1.30.10. I don't understand why these firewall rules don't block that:
Maybe connection at Layer 2 is bypassing the firewall?

To work with vlans, you will pull your hair out moving things around best bet is to take one port off the bridge and do all the configuration safely there!!!

Notes:
1. FIRST STEP add Offbridge settings, and do all vlan configuration from this safe spot. ( using port 9). Recommend this for all devices.....
2. added Management Interface List entity
3 Removed duplicate IP Pool
4. Assume 3 vlans, one is management vlan (all devices get IP address on this vlan) / Trusted VLAN (like home users) / Guest or IOT Vlan
5. Since RB4011 has two groupings of ports, put the first five ports together same bridge, moved WAN port to 6.
6. Normally for PPPOE one does NOT use ip dhcp client OR an ip address for WAN.
7. Changed ppoe peer dns server to NO. Reason it appears you want users to go via 1.1.1.1 and not ISP..

STEP1:
To work on vlans as it can get sticky when applying vlans or trying to change from default to your steup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the device at any time.....

Associated config entries ( remove ETHER9 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether5] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0 comment="Offbridge and Emerg access"
/interface list member
add interface=OffBridge5 list=MGMT or BASE or TRUSTED (if you have a management vlan etc.)
add interfac=OffBridge5 list=LAN

Note: to access the router simply plug your device into port5 and configure your PC/laptop with IPV4 settings of 192.168.77.2 and via username and password you should have access.

OK, thanks. The VLAN config I have now is working, I'll try your recommendation when it gets more complicated.