Traffic isolation between Mikrotik VLANs. Filter rules are not working. Perhaps there is some other way?

On Mikrotik, VLANs are configured according to the "modern" model - as here - https://soft-setup.ru/oborudovanie/vlan-bridge-na-... - using 1 (one) bridge.

ether1, 2 - WAN ports
ether3 - tagged port for VLAN30, 100
ether4 - tagged port for a switch with VLAN40, 100
ether6 - access port (this port will be provided to a third party, so I want to block access to it).

Bridge: Bridge1_vlan

Bridge rule examples:

Bridge VLAN 120

tagged: bridge1_vlan
Untagged: ether6

Bridge VLAN 40

tagged: ether3
ether4
bridge1_vlan

Bridge VLAN 100

tagged: ether3
ether4
bridge1_vlan PVIDs

on the interfaces are registered in the bridge ports.

Everything works fine, there are trunk ports on Mikrotik (which sends tagged vlans to another switch for access ports) and an access port on the microt itself (ether6). In general, traffic "runs" in all directions.

The problem is that it is not possible to isolate the created vlans from each other.

Let's say I need to isolate access from the access port of Mikrotik ether6 (in which 120vlan is spinning) so that there is no access to 40, 100 vlan.

Yes, I understand that according to the above scheme, all vlans are brought into one bridge and, accordingly, therefore they see each other. But this is how many articles now recommend breeding into Wealans, but not a single article says how to isolate each other ...

I tried to create rules in the IP - Firewall, for the Forward chain, which would drop (DROP) Src.Address = 10.10. 120.0/30 Dst. Address = 10.10.40.0/24 and so on, but it doesn’t help, as the pings went - they go, resources from 40, 100 wealans are available for 120 wealans, and the network scanner also gives everything on a silver platter.

In which direction to dig?

PS IP - Routes - Rules - do not work by the way either.