This is best done using the L3 firewall rules on the MX. You rules should look something like this:
Allow you internal networks to your internal networks
Allow the source IP of the devices you want to get Internet to "Any"
Deny any to any
On the connection between the MX64 and MS120, assuming you have it set to trunk mode, only allow the VLANs that you want to have internet.
Layer 2 VLANs that reside on the switch, say you just created VLAN 500 to test with for example, won't be able to go across unless your allowing VLAN 500 on the switch uplink/MX downlink ports.
Are you using the MX64 for DHCP for the VLANs that don't need Internet?
If so, then on the outbound firewall rules, assuming you have a specific subnet for the VLANs you don't want to go out to the Internet, just add on the firewall outbound rules
Deny the entire subnet to any outbound destination.
Layer 2 VLANs that reside on the switch, say you just created VLAN 500 to test with for example, won't be able to go across unless your allowing VLAN 500 on the switch uplink/MX downlink ports.
Are you using the MX64 for DHCP for the VLANs that don't need Internet?
If so, then on the outbound firewall rules, assuming you have a specific subnet for the VLANs you don't want to go out to the Internet, just add on the firewall outbound rules
Deny the entire subnet to any outbound destination.
