Make an address-list containing the IPs of clients not permitted internet access, then drop packets from those clients out the WAN interface.
/ip firewall access-list
add list=no_internet address=10.2.0.0/24
add list=no_internet address=10.3.0.0/24
/ip firewall filter
add chain=forward out-interface=[name of WAN interface] src-address-list=no_internet action=drop
Edit: this is assuming that there's an interface for internet only. If you have a setup where some of those clients are behind the WAN interface, this won't work. If that's the case, post details of your network layout.