Any RouterOS device with traffic passing the CPU works as a layer 3 router and will by default route traffic between all it's connected networks. To stop this, you need to use ACLs or the firewall.

VLAN routing

An access port (or edge/untagged), is for untagged packets, usually a port where you connect devices like servers/clients.

A trunk port (or core/tagged) is usually used to connect 2 switches - it receives and forwards packets from different VLANs. They are trunked together inside the port/cable.

The hybrid port will allow both untagged and tagged packets on the same port. This can be used for a client, that needs both normal untagged internet data, and a separate secured VLAN network.

To setup VLAN tagging in the router (CPU), add a bridge for the VLAN:

Then create the desired VLAN interfaces, and connect them to the uplink interface:

And finally to receive untagged vlan200 traffic for a device, add the client port and the vlan to the bridge:

If you want ether9 to become a hybrid port, receiving untagged vlan200 and tagged vlan300 traffic, you would need to add:

Warning! Adding a VLAN to a MikroTik interface, will automatically change the interface to trunk mode, and will take down the link for normal untagged traffic. If you need to add VLANs without downtime for untagged traffic, you have to start by adding a bridge with both the VLAN and the interface, to set change interface to hybrid mode.