pfSense and Mikrotik CRS226 VLAN solution

New to VLAN configuration so apologies in advance. I have an SG-2220 pfSense router in addition to a CRS226-24G-2S+RM switch that have been performing very well for the past year. I have added another 8 port PoE switch and am in the process of adding IP security cameras.

I want to segregate the IP camera traffic using VLANs and need advice on the best route to take. I only have 1 WAN and 1 LAN port on the pfSense router. So I have to configure the VLANs in RouterOS on the CRS226 via the switch chip in order to bypass the CPU and bottle-neck traffic.

I've read a lot on the Mikrotik forums and through their documentation lately and a port based VLAN setup appears to be the most logical option: https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN. Does this appear to be the correct way to go? The more I re-read the documentation the more it feels like I'm running in circles.

Setup a trunk port from the CRS226 to the pfSense router - Configure ether9 as VLAN20 (connects to 8 port PoE ip cam switch) - Configure ether10 as access port to VLAN20 - all other ports on CRS226 as VLAN10

ether1 (trunk)

ether2-8, ether11-24 (VLAN10) ---> PCs, media server, etc

ether9 (VLAN20) ---> 8 port PoE switch -------> ip cameras

ether10 (VLAN20) - access port

RouterOS configurations I've read about have all been much more complicated than what I'm trying to do. First time researching VLAN configuration and RouterOS documentation has been confusing as hell to get my head around lol. Would love any feedback or advice if this makes any sense before I start making changes.
Thanks,
Reed

Want IP cameras isolated from the rest of network. Also have the ability to access only the Blue Iris server remotely via VPN tunnel which I can configure with pfSense.

Is something like this diagram I drew up in OpenOffice Draw the correct way to go about achieving this?

Yeah that should work. You just want to tag the port connected to pfsense, everything else should be untagged. On pfsense create two VLAN interfaces for each VLAN and assign those to interfaces (replace LAN and add a new one for the second VLAN). After that just set up the firewall rules the way you want.