"OH I SOLVE IT"
well, I have a bit help of my boss jeje
You have to do as following if you want that certain users surf only the walled garden:
Create 2 forward chain rules.
/ ip firewall filter
add chain=forward packet-mark=Account_Disabled hotspot=from-client action=jump \
jump-target=hs-unauth comment="" disabled=no
add chain=forward packet-mark=Account_Disabled hotspot=to-client action=jump \
jump-target=hs-unauth-to comment="" disabled=no
This do that all the traffic marked with "Account_Disabled" will be redirected to hs-unauth chain. So the user only surf the walled garden.
ONE MORE THING:
Disable Transparent proxy in the user profile you are using, because it won't work.
HOPE this help someone!