If you terminate your VLAN's on your MX then you have the ability to just use the L3/4 firewall rules on the MX to prevent one network to reach the other. In the beginning of your MX firewall rule set just add a rule deny any source AVL network, destination private address spaces. Then you can still have other filtering rules to any like http https, dns, ntp, icmp for avl towards the internet.
... View more
