To do what you are asking (whether it is really what you want/need) you will need to use switches that have port isolation as an option.
For example, see
Port Isolation for how a MikroTik 24 port switch running SwOS can be configured.
Assuming you want to do everything on the RB2011 which has multiple switches, you are going to have more of a problem, and I don't know if it can be done without involving the RB2011 CPU, and that will affect performance. But if you are using wireless, that's already using the CPU for bridging between wired and wireless ports (going only by the
block diagram).
If you can limit everything to the Gb switch, then you may be able to use the
/interface ethernet switch port-isolation feature to do what you are asking about, but it won't help with wireless.
Yea, that makes sense that it would be easier to have all 3 PCs on one switch (eth2-4), I did check in WinBox, and in Switch => Port isolation , you can "forward overide" and then choose "forward to".
Only struggle that I need to add new cable through the house, I don't mind cables on the wall, but other people in the household do.
If you are just trying to protect the windows PC's, why not just use the windows firewall?
I do use Windows firewall, even I choose the option to be NOT detectable on the network, but with Windows updates(Windows doing stuff in background) and vulnerabilities, I do like to have more security even in the router.
--------------------------------------------------
I see that I did try filters in Bridge like
EXAMPLE:
/interface bridge filter
action=drop chain=forward dst-mac-address=1 src-mac-address=2
action=drop chain=forward dst-mac-address=2 src-mac-address=1
in Bridge setting, I did try turn on/off "Use IP Firewall" , and "allow fast path"
and in firewall I did try like this
EXAMPLE:
/ip firewall filter add action=drop src-address=1 dst-address=2
/ip firewall filter add action=drop src-address=2 dst-address=1
but still when I turn off windows firewall, and then ping the IP adress , it wasn't blocked
So is there other way where I make 6-9 rules to block IP(all IP adresses are static) or MAC adress so it block communication between devices ? and turn off some hidden setting like "allow fast path"