RouterOS's firewall can shield networks (VLANs) from outer threats, but the most hacks are executed from within the network by a malicious actor (compromised device with software/firmware backdoor phoning C&C,...).

I'm thinking of adding pfSense, OPNsense, Suricata, snort or other IDS/IPS to the stack. I have literally zero experience with those. I'm wondering, which one to pick.

Some of those can also act as router, and also do inter-VLAN routing, and act as IPS - blocking suspicious traffic between VLANs. Does it make sense to run a router with RouterOS then, if such firewall can basically replace it? Did anyone replace edge/main RouterOS router with routing IDS/IPS firewall?

In case of not replacing RouterOS, does RouterOS support (easy) integration with any IPS?

And, what's yours overall experience IDS/IPS for SOHO? What's the most easy to setup, and reliable?

Didnt think any existed that were any good. I am aware of high end routers $$$, and then you need to pay subscriptions $$$.

There is no inside nor outside.
There is no safe side and other side.
Either you allow traffic or you don't.
There are no safe or dangerous IPs and ports, anything can communicate to any address and port
Once malicious software is on the inside it effectively instantly becomes the outside.

https://en.wikipedia.org/wiki/Zero_trust_security_model

https://github.com/funkolab/cs-mikrotik-bouncer including bouncing yourself, because that especially in relation to Mikrotik, inside is more often the danger.

I am going down this path at the moment.
I have a front end wan mikrotik rb5009, connected to a netgate pfsense hardware appliance for internet services for desk pc's which are also in an active directory environment.
That said at this point will be either going down a proxy gateway approach or traparent bridge with either suracatra or snort. Cert's will get pushed via AD.
Ideally unusual traffic patterns will get picked and blocked.
The front end mikrotik will of course do its finest with firewalling.

@killersoft do you mean, that you have pfsense in between ISP and RB5009, or between RB5009 and LAN (switch, devices,...)?

And, what does it have to do with certs, and active directory? Isn't IDS/IPS transparent network MITM, that detects/kills suspicious connections?