Potentially several solutions depending on how you are handling the ports.
Layer2 isolation is 1st.
Disable Default Forward on your Wireless NIC's to keep clients on a single wlan from talking to each other.
If in your diagram the Ethernet ports are bridged then you could use Split Horizon in the bridge port settings (on the router) to isolate the two towers at layer2.
You could also use bridge-filter on the AP for very tight control of what L2 protocols will be passed.
You can also have a unique PPPoE Server for each tower interface so there is no L2 communication possible between towers
Then Layer 3 (IP).
You need to firewall your users from each other.
If you use Userman to authenticate the users then prhaps have it add the users into an Address list then drop traffic from the address list to the address list for example.
You could also have a specific pool or ip subnet for each towers clients and use these in your firewall rule.
If you specify a forward rule with in-interface=all ppp (assuming you are not using ppp for WAN etc in which case perhaps src-address=client_subnet) out-interface !=wan action=drop.
There are other methods too - you just need to carefully think what you want to stop and what to allow.
I hope this helps point you in the right direction.