New to Mikrotik so just learning. I had a few basic questions:

1) CRS326-24S+2Q+ - I have upgraded my brand new switch to RouterOS 7.13 but wanted to ask some basic questions:
a) It loaded a default config - should I change this? It is mentioned if i lose power that it will revert to the default config is this the case? If so, how do you prevent this? It appears that somethings
that are default config options cannot be removed like ovpn-server/client interface.
b) I have planned a complex VLAN setup which i would like to control all traffic between those VLANs. Should i change the configuration from Bridge to Route mode?
c) I will be taking specific switch ports and adding them to specific VLANs with tagging. This switch will sit behind a Firewall Gold Firewall and I will use one of the QSFP+ ports to connect it. In
bridge mode will it automatically bridge traffic between these VLANs? Can i filter using firewall rules between these VLANs? Or should i switch to Router model to make this cleaner?
d) There appear to be two switches configured by default in this model of Mikrotik switch. Marvell 98DX8332 - which is configured for switch1. Atheros 8227 - which is configured for switch2.
What is the best way to utilize these two switches?
e) The default configuration for this creates a bridge interface - this appears to the way to bridge between the regular ethernet interfaces. Should i disable this to create segmented VLANs? For
RouterOS 6 this bridge interface was where the Switch IP address for management and using winbox was used for but when i upgraded to RouterOS7 it changed it to the first SFP+ port where
the laptop i was using connected to ? For security i would not like for this to be addressable except for one VLAN or segment - is there a best practice fo this?

Let me know if this is not clear i can upload a diagram of what i am trying to achieve with the Firewalla Gold firewall and the segement VLANs on the CRS326 switch.

Thanks

a) you can use default config as a starting point for your changes. And whatever you change, changes are saved permanently unless you do it while safe mode is enabled.
b) depends. If you have a router (which will handle traffic between VLANs), then you shoukd keep using CRS as switch. If you don't have a router, then you can use CRS as router ... but beware that CRS has low routing capacity unless you make sure that your config can utilize L3HW offload
c) nothing is automatic in ROS, you'll have to configure device appropriately. Not a big deal though ...
d) where did you get the Atheros8227 idea? There's a single switch chip in CRS324.
e) if you omit ether1 interface from bridge ports and configure management IP address on it, then it'll be isolated from "traffic VLANs" just fine. It is quite usual to also have a management VLAN as well (as in-band management) and the (external) firewall ensures enforcement of access policy.

a) Based on my default config which is slightly modified it shows the following
Bridge:
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=18:FD:74:3F:15:B7 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=18:FD:74:3F:15:B7 ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no port-cost-mode=short
Switches:
# NAME TYPE L3-HW-OFFLOADING QOS-HW-OFFLOADING
0 switch1 Marvell-98DX8332 no no
1 switch2 Atheros-8227 no no
All Switch Ports are currently connected to the bridge:
Ether1
qsfpplus1(1-4)
qsfpplus2(1-4)
sfp-sfplus(1-24)

Afer reading the docs for L3-HW-OFFLOADING it seems that you can only have one bridge as anymore and they are not able to be HW offloaded so i guess that is what will stay

b) I bought the CRS326 as a router/switch because i don't have a router and even if I did it would not route at wire speead with the cpu offloading.
Inter-VLAN Routing
From what i can tell here i may be able to use the switch mode with VLANs and leverage the FW rules also offloaded as i see:
FW - the feature requires l3-hw-offloading=no for a given switch port. On the switch level, l3-hw-offloading=yes.

viewtopic.php?t=183142# - this post shows a nice config i can use to build off of as well as some answers I was looking for.
I am not going to be doing any NAT or IPV6 as this is a home network and i don't need it as this Switch will hang off a Firewalla Gold which will be my firewall to the internet.

c) I am just looking to lock down IPV4 traffic internally on some segmented VLANS for stuff like Roku, Nest/August/Ring, Video Streaming from NAS, etc..
I will have to test but i think it should work out fine and should support both FW and VLAN Routing HW offloading at wire speeds.
I will be using one qfspplus1(1) port to dedicate to the uplink to the Firewalla Gold Firwall port @2.5gb.
q1) I assume i will use the DHCP server from the Firewalla Gold to seed all DHCP to each VLAN - any recommendations?
I will be dedicating serveral sfp-sfplus(1-x) ports per VLAN segment with tagging
There are several work laptops that i use which will be on the CRS326 and those will need wire-speed to the Internet
The ROKU streaming devices will also require wire speed to the Internet.
Internally I will be using PLEX to stream video off NAS devices at wire speed between one VLAN
However, most other traffic will be minimal Internet and between VLANS

d) see table above as each CPU is dedicated to a switch
e) I will add a Managment VLAN as well

I shall try to start building my configuration as I go and post questions as I need to going forward.

Thanks

Finally was able to finish this simple config. To get a simple access port/trunk configuration working. Now I need some help with locking down the VLAN filtering. Any links on a good way to make sure it is locked down?
Also getting a CRS504-4XQ-IN to drop in and do stateful firewall/routing offloaded to HW as well.

Question is should i do a one-leg model for just those VLANs that I am wanting to route/firewall or should i put it inline prior to my Firewalla firewall which with this current config is the next hop and is serving up DHCP & DNS.

Options:
1) one-leg ---- Internet->Firewalla->CRS326-24G-2S+RM(L3HW VLANs)
|(2x40GB -QFSP+)
CRS504-4XQ-IN(Routing/Firewall-HW-Offload)

2) inline - Internet->Firewalla->CRS504-4XQ-IN(Routing/Firewall-HW-Offload)->(2x40gb-QSFP)->CRS326-24G-2S+RM(L3HW VLANs)

Thanks

Here is the high-level Network Diagram of what I am trying to do.

1. Firewalla Gold + [4x2.5gb]
   1. Primary Function: Internet Firewall
   2. L3 Switch(Work VLANs)
   3. Mobile Devices
   4. Uplink to internet
2. CRS326-24S+2Q+RM+ [2xQSFP+40gb & 1xSFP+10gb]
   1. Primary Function: L3 HW Offloading
   2. Video streaming - VLAN7(Video Streaming Server), VLAN8(TVs)
   3. VLAN24 - Music Streaming from Internet
3. CRS504-4XQ-IN [2xQSFP28-100gb]
   1. Primary Function: Firewall-HW Offloading
   2. Segmenting IOT/Security Devices VLAN20-23 (10G)
   3. Firewall "Stateful Inspection" for Video/Music Streaming/TV

Any advice would be helpful.
Thanks