Hi all -- Posting here because it is a 'business router' but it is for my home network.  Please accept my apologies if I should post in a different area.

I purchased the ER7206 to try and create a more secure home network as my primary firewall for my home network.  I have AT&T gigabit and want to change the AT&T supplied modem to be passthrough only.  However, I am finding the firewall setup in the ER7206 to be sorely lacking - or a lot of user error on my side.  I feel like I am just missing something major.  I'm NOT using the Omada software to configure my environment but I can if needed.  The reason I am not is I have a Deco Mesh and another smart switch that are not Omada compatible.  Maybe someone can help so I'll just enumerate my questions after a brief description of my environment:

I have four networks at home:   my main LAN (trusted devices), IoT (untrusted devices), work from home, and admin.  These are configured as VLANS but since I have a relatively simple setup, I have each LAN port of the ER7206 driving one (and only one) network.  I have a L3 switch that I have partitioned off by ports as well so my wired networks are separate.  I have an EAP 620 that I use to serve the wireless networks for my Admin, Working from Home, and IoT devices.  I have a Deco mesh to serve the wireless for my main LAN.

I have watched so many youtube videos for different ACLs on different routers that I am crosseyed.  They all seem to have a lot more configurability than ER7206.  I am not a network admin by any stretch and I am throwing up the white flag.  My questions:

1. If no rules are configured at all, what is the firewall blocking/allowing by default?  In other words, am I horribly exposed with no configuration or am I protected with only all of the Packet Anomaly Defense enabled on the Attack Defense tab of the Firewall settings?
2. How do I create an 'allow established and related' rule?  That seems to be the number one rule to start with on all the youtube videos and I do not see any equivalent in the ER7206.
3. Does anyone have a good list of 'must have' rules to secure a very general network specific to ER7206? 
4. I have a wired printer on my LAN network (i.e. 192.168.50.50).  What rule do I create to allow traffic from my Work from Home network (i.e. 192.168.100.X) to use that printer (I created an IP group for that printer but no rule I 'write' seems to allow it).  Remember, I have my VLANS also segmented by physical ports.  Should this be a LAN > LAN rule or a LAN > WAN rule given my architecture?
5. Similar to #4, I want my desktop PC, which is connected to my LAN network (e.g. 192.168.50.100/24), to be able to administer my router and switch on my Admin network (e.g. 192.168.200.1/24 and 192.168.200.2/24).  What rule do I create there?

Any help is appreciated.  Best regards and Thanks!