1. First create a firewall group containing the RFC1918 private address range 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This is done in Settings > Routing & Firewall > Firewall > Groups > Create New Group and then click Save. See the screenshot below:
2. Still within Firewall Settings, move from the Groups tab to the Rules IPv4 tab, select LAN IN1 and click Create New Rule, filling in the following configuration data:
CREATE NEW RULE
Name: to your liking
Enabled: ON
Rule Applied: Before redefined rules
Action: Drop or Reject2
IPv4 Protocol: all
ADVANCED
Logging: to your liking
States: all unchecked
IPsec: Don't match on IPsec packets
SOURCE
Source Type: Address/Port Group
IPv4 Address group: RFC1918 (the name of the group created in step 1)
Port Group: Any
MAC Address: Leave blank
DESTINATION
Destination Type: Address/Port Group
IPv4 Address Group: RFC1918
Port Group: Any
Using the above rule will block all private network communication between VLANs, however, same-subnet/VLAN traffic will be allowed as expected because it will never be sent to the default gateway (USG). The data will traverse the layer 2 network and be transmitted via frames by the switches in between.