So you have separate wireless AP's ?
I would take a look at the Wiki's for the different topics you need :
https://wiki.mikrotik.com/wiki/Manual:S ... ic_Routing
2) Securing services
(so really make sure you add your "LAN" subnet in the "address" field. Otherwise it is wide open to the world. I think you want incoming HTTP/SSH/WINBOX from Internet for now.
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
This can be a bit diffucult, since you need to understand the different "chains" that works with RouterOS.
In your case I would suggest almost full drop of everything coming in the "INPUT" chain so targeted at router IP 188.8.131.52
The the "FORWARD" chain I would also filter in incoming-interface=ethernet_port_of_ISP and then everything that is "invalid" , or "new" (since you do not expect new packets to arrive from ISP for new TCP-sessions, only returning traffic from sessions you created LAN-side initiated.
Also think about UDP traffic etc.
4) Make sure you run LATEST version of RouterOS !
5) Make a new "admin" user, name it something different offcourse and then disable/remove the "admin" user.
6) DHCP ? You want to run DHCP ?
You could make a small pool. The wireless AP's you can give a reservation so they always have same IP etc.