Got another question for you guys!
I've managed to create 3 VLANs and prevent them from communicating with each other but still keeping internet access. I'm struggling to figure out how to stop them from accessing my 192.168.1.0/24 network however (where the management interface resides). Basically, I don't want users on these VLANs to be able to log in to the Edgerouter or anything else on the same network as the Edgerouter.
I tried adding a specific rule in the VLAN_IN firewall group, to drop packets going to 192.168.1.0/24 and then another for the specific 192.168.1.100 IP address, but that didn't work and clients on the VLANs were able to access 192.168.1.100 
Any suggestions?
Full configuration is below:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group ROUTER_IP {
address 192.168.8.9
address 192.168.16.17
address 192.168.24.25
}
network-group VLAN_NETS {
network 192.168.8.8/29
network 192.168.16.16/29
network 192.168.24.24/29
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VLAN_IN {
default-action accept
rule 10 {
action accept
destination {
group {
address-group ROUTER_IP
}
}
}
rule 20 {
action drop
destination {
group {
network-group VLAN_NETS
}
}
}
}
options {
mss-clamp {
mss 1492
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.100/24
duplex auto
speed auto
}
ethernet eth1 {
duplex auto
speed auto
vif 20 {
address 192.168.8.9/29
description mate
firewall {
in {
name VLAN_IN
}
}
}
vif 30 {
address 192.168.16.17/29
description tpg
firewall {
in {
name VLAN_IN
}
}
}
vif 40 {
address 192.168.24.25/29
description skymesh
firewall {
in {
name VLAN_IN
}
}
}
}
ethernet eth2 {
duplex auto
pppoe 0 {
default-route auto
mtu 1492
name-server auto
password ****************
user-id ****************
}
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name mate {
authoritative disable
subnet 192.168.8.8/29 {
default-router 192.168.8.9
dns-server 192.168.8.9
lease 86400
start 192.168.8.10 {
stop 192.168.8.14
}
}
}
shared-network-name skymesh {
authoritative disable
subnet 192.168.24.24/29 {
default-router 192.168.24.25
dns-server 192.168.24.25
lease 86400
start 192.168.24.26 {
stop 192.168.24.30
}
}
}
shared-network-name tpg {
authoritative disable
subnet 192.168.16.16/29 {
default-router 192.168.16.17
dns-server 192.168.16.17
lease 86400
start 192.168.16.18 {
stop 192.168.16.22
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1.20
listen-on eth1.30
listen-on eth1.40
}
}
gui {
http-port 80
https-port 443
listen-address 192.168.1.100
older-ciphers enable
}
nat {
rule 5000 {
description mate
log disable
outbound-interface pppoe0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}