Hotspot LAN problem

RouterOS Beginner Basics
1

Hi I have implemented hotspot on my Mt router using radius(both on the same router). Here is the senerio:
It a school and we have different department all connected to the same internet via DHCP-Hotspot. each department needs to share local files files privately, and also use their printers on the network privately. I am having problem configuring the router to segment/hide each department's system and still provide hotspot services to them?

Here is my config:

[admin@MikroTik] /ip> address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 44.194.12.85/29 44.194.12.80 44.194.12.87 INTERNE
1 192.168.16.1/21 192.168.16.0 192.168.23.255 LAN

[admin@MikroTik] /ip hotspot> profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit=""
http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no

1 name="hsprof1" hotspot-address=192.168.16.1 dns-name="login.unec.net" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=http-chap,trial
split-user-domain=no trial-uptime=1m/1d trial-user-profile=default use-radius=yes
radius-accounting=yes radius-interim-update=received nas-port-type=ethernet
radius-default-domain="" radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX

[admin@MikroTik] /ip> firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

2 ;;; Allow esatblished connections
chain=input action=accept connection-state=established

3 ;;; Allow related connections
chain=input action=accept connection-state=related

4 ;;; Allow UDP
chain=input action=accept protocol=udp

5 ;;; Allow ICMP
chain=input action=accept protocol=icmp

6 ;;; Allow connection to router from local network
chain=input action=accept in-interface=LAN

7 X ;;; Drop everything else
chain=input action=drop