Install Soekris net6501 (http://soekris.com/products/net6501/net6501-30-board-case.html) and a Wi-Fi access point to it. It can be plugged in as a mini-PCI board, or you can buy a separate device and plug it into an Ethernet port.
The box contains 4 gigabit ports, two USBs (you can plug in a 3G modem), the pfSense operating system based on FreeBSD. All your needs are covered with a vengeance.
If the presence of gigabit ports is not important, then take the ALIX.2D13 solution (http://www.pcengines.ch/alix2d13.htm)

The picture didn't make much sense, which is exactly what I thought.
Without going into details, if without the task of counting traffic, I would probably take some kind of microtic 5 or more port and a separate Wi-Fi point.
If the Accounting of traffic is important then any computer acc. min. Debian requirements with 3 network cards + level 2 switch, for example DGS-1100-16 + Wi-Fi point.
I didn’t work with Mikrotiks, I won’t help, if you decide on the second option, write in a personal.

see asus n56 open linux firewall, open architecture, open install optware. Customize and add anything and however you like, there is a lot of memory in the processor too. I changed about five routers until I stopped.

I also recommend paying attention to the Pfsense.org distribution based on FreeBSD. everything you need is there, including guest Wifi (http://tinyurl.com/7r7brve).
It is placed on a regular computer with several network interfaces and is configured very easily through the web face.

some kind of crooked task imho ...
let's point by point:

Combine all machines into one network with division into workgroups

exactly only the names of the working groups should be divided? and as a consequence - but what is the sacred meaning in this?
If we divide, then I would divide it by subnets or in general by 802.1q if the switch (s) supports (s). Your decision in most cases only makes life difficult for users and the master browser.

launch an antivirus from them on the Internet

please rephrase, who where to let?

Up to the top you need guest WiFi

With "only internet"? or also with (forbidden /) access to some working group?

It would be great to limit the amount of traffic to users, because the tariff is limited

Any traffic or just http? because these are completely different solutions and neither one nor the other option is solved by your desired piece of iron.
a router with a flexible firewall and traffic accounting according to your requirements can only be based on a *nix-like system, the recommended asus with the left firmware will most likely help you, but you will have to taste red-eyed to the fullest.
I would put any computer even on a miniITX with Linux + iptables, level 2 switches with 802.1q and a separate Wi-Fi point.
according to Dlink - find a regional representative in your city and ask for this piece of iron in the test. I did this repeatedly, almost always rolled - everything is in the black.

use NAT to forward UDP packets from outside around the clock

so tell the hidden meaning? is direct here all-all UDP?