I dont know what im doing wrong but on edge routers the rules get applied by interface. This long list on the Mikrotik is confusing me. Is this something that can be done on the Mikrotik?
That's an incomplete example, but I will make some assumptions:
PROTECT_NETWORKS is a network group that contains networks you don't want the "guest" interface to forward to (e.g. all rfc1918 addresses). The MikroTik analogue for vyatta's nework-group is
/ip firewall address-list
Have you read
Building Your First Firewall and
Building Advanced Firewall?
Naming in MikroTik is more like linux iptables, and not like vyatta. chain=forward is similar to the vyatta "in" direction, it applies to traffic that is routed (not terminating on a service on the MikroTik)
If you want the closest to the filtering on the "ingress interface" you would use something like if you wanted to block devices on ether3 (and possibly other interface you add to GUEST) from establishing new connections to "PROTECT_NETWORKS"
/interface list add GUEST
/interface list member add ether3 GUEST
/ip firewall filter
...
add action=accept chain=forward comment="Allow established/related traffic" connection-state=established,related
...
add action=drop chain=forward comment="Block new connections to PROTECT_NETWORKS" connection-state=new in-interface-list=GUEST
...
add action=drop chain=forward comment="default action drop - the final catchall rule"