Best way IMO would be to convert your current WAN+LAN setup to all-VLAN setup. So you would add all ports (including current WAN port to same bridge and use one VLAN for WAN and another VLAN for LAN. Your current WAN port (ether1) would be access port for WAN VLAN, some ports would be access ports for LAN VLAN or WAN VLAN or trunk ports for both VLANs ... all of this very much depends on how your LAN infrastructure looks like (any smart switches, where do various devices connect, etc.).
If you don't know how to do VLANs,
here's tutorial. Setup will work, but suboptimal on your hardware since explained setup runs entirely on CPU. You could setup similar config using switch chip VLAN handling, it's slightly more complex and easier to lock self out of device. You can start off using bridge config and later convert it to switch chip if the perfornance will not be satisfactory.
If other LAN infrastructure doesn't require trunk ports (because RB is only switch and all devices connect directly or intended WAN devices connect either directly or to dedicated switch), then you can go with two bridges, one for WAN and another for LAN. A gotcha: one switch chip can only offload single bridge, your RB has two switch chips (one running ports ether1-ether5, the other running ether6-ether10), so you should group ports carefully. If you want to use RB ad firewall also for WAN devices, those ports can't be offloaded anyway so you can even go with a software-run bridge (if traffic between the WAN devices won't be huge).
If there's a switch for WAN devices, then you can connect it between ISP and RB. This setup completely bypasses RB for other WAN devices, so RB's firewall won't protect them.