how can I route between my eth.n ports?

Hi all,

I have a question for which I do not understand the manual …
Is firwall and internal forwarding problem, and I cannot come on top of it, need to understand better.

I have a CCR1009 router and got it working just fine with my internal LAN.
Now I want to try to make things more complex and split the internal LAN in three parts.

So I have the following nets:
A.eth1 with 192.168.200.0/24 which goes to WAN,
B.eth2,3,4 on bridge1 with 10.145.0.0/16
C.eth5,6 on bridge2 with 10.146.0.0/16
D.eth7 with 192.168.0.0/17

B,C and D see A. OK.
B,C,D see D.
B does not see C and C does not see B.

How can I fix it and make B see C and C see B?
and the other way round, is there a way to isolate D, while A remains obvioulsly visible?
and why all see not only A but also D (all 192.168.x.x)?

my ROUTES panel has (Pref.Sourc is the Mikrotk port IP, 192.168.200.1 is the WAN router)
DST addr - GW - Pref.Source
0.0.0.0/0 - 192.168.200.1 reachable - eth1-WAN
10.145.0.0/16 - bridge1 reachable - 10.145.0.254
10.146.0.0/16 - bridge2 reachable - 10.146.0.254
192.168.0.0/17 - eth7 reachable - 192.168.0.1
192.168.200.0/24 - eth1-WAN reachable - 192.168.200.100

Thanks
Guido

On terminal type: export hide-sensitive
and paste all output here

Concur, need to see export and relationship in firewall rules.
You have to consider L2 connectivity, and L3 connectivity that the router will attempt to connect the subnets.
Technically speaking the two bridges and one subnet not on a bridge should not see each other on L2, unless I am mistaken, but the router depending upon fw rules may allow
every subnet to reach any other subnet.

I prefer to work with one bridge and do all my L2 separation by VLANs
Add chain=forward action=drop as my last rule and that ensures that L3 connectivity between VLANS is blocked unless before that rule I specifically gave permission for vlanx to talk to vlany for example.