port isolation details/example?

I have a client that wishes to not allow “the boys” to have access to the “adult” portion of their network, but does want to allow “the boys” to access the internet.

It seems that I can simply allow only one-way traffic between the internet port (ether1) and the two local ports (ether2 and ether3) thusly:

/ip firewall filter
add chain=forward in-bridge-port=ether2 out-interface=ether1 action=accept
add chain=forward in-bridge-port=ether3 out-interface=ether1 action=accept
add chain=forward in-interface=ether1 action=accept
add chain=forward action=drop

However, I could find no information about the “in-bridge-port” option, or whether it requires an actual bridge to exist. Further, if I need a bridge defined, do I actually need two bridges (one between ether1 and ether2, and a second bridge between ether 1 and ether3)?

I’ve scoured the forum, as well as looked through the documentation, but I have found no details on these options.

Pointers anyone?

I do not believe it is possible to add one interface to multiple bridges. At least when I try to add the same interface to bridge it displays an error, that interface is already a bridge port.

In case you do not have bridge, you can just use in-interface and out-interface, when you need to block access between interfaces.
As well it is possible to use just src-address and dst-address matchers to drop traffic within one network or between different networks.