Hello good people.
There is a small network of ~50 devices (20 workstations, 3 servers, 15 SIP phones and an internal SIP server, some MFDs and printers, some security and CCTV equipment) within a single L3 subnet (10.0.10.x) and a single L2 segment without any VLANing whatsoever. I plan to segment this bad boy into 8-10 VLANs and corresponding IP subnets with 1:1 mapping. Of course, there will be some inter-VLAN routing.
So far nothing special, but here's the crux of the matter: the main router in this network is hex S (RB760iGS) with a flimsy MT7621 switch chip which, as far as I understood it from Mikrotik wiki, doesn't support any kind of hardware-level rounting between VLANs and throws everything onto its' CPU. Ufortunately, this absolutely will not cut it, because some of the data moving between some of those VLANs (especially hourly and large daily backups between endpoint devices, servers and a backup server) will require nearly the full wire-speed bandwidth of Gigabit Ethernet connection in order to be completed in a reasonable amount of time and not completely destroying the router's poor CPU during the process.
Fortunately, this network also uses cAP ac as a single wireless access point and an HPE OfficeConnect 1920S series switch, specifically the JL386A 48-port model. As far as I understand, cAP ac has Atheros8327 switch chip onboard, which supports VLAN tables and some other switching features that MT7621 does not. The HPE switch isn't bad either: it has some helpful L2 and L3 features, namely 802.1q VLANs, static and inter-VLAN routing, DHCP relay, and, the most important of all, hardware-level IPv4-based and MAC-based ACLs for interfaces and VLANs.
(Note: I have no official confirmation that the ACL feature on the switch is hardware-offloaded, but I really hope that it is, probably ASIC-based or even more likely FPGA-based, because otherwise why the hell would the official manual mention that the switch that comes with a pathetic dual-core 400MHz ARM CPU, that can freak out if you move around in Web GUI too fast, supports up to 50 ACLs in total and up to 10 ACL rules per individual interface/VLAN).
With all that said, I believe that there are only two reasonable options:
1) either configure everything that concerns VLANing (VLANs themselves, IP subnets for VLANs, inter-VLAN routing and VLAN-aware firewall) on the aforementioned cAP ac unit, in which case the hex S will serve only as a default gateway to the Internet and a VPN server, while the switch will still function pretty much as a dumb switch; essenially, it will be traditional router-on-a-stick configuration, but with cAP ac stealing most roles from hex S.
2) or configure VLANs, subnets and ACLs on the switch, enable DHCP relay and passthrough DHCP servers from the router for those VLANs (yes, the switch has this specific option specifically for VLAN routing).
So, here is my question: what is my best bet in this situation? Both options initially seem viable, but maybe I am missing something important.