SOLVED
Hello!
This should help:
Create an advanced IPv4 ACL that will deny access to vlan 1 and 2 and allow everything else:
acl number 3333
rule 10 deny ip destination 192.168.1.0 0.0.0.255
rule 20 deny ip destination 192.168.2.0 0.0.0.255
rule 100 permit ip
then apply this ACL to a Vlan-interface3 in inbound direction:
interface Vlan-interface3
firewall packet-filter 3333 inbound
Subnet mask is /24 (255.255.255.0), but in ACLs we use wildcard masks, so 0.0.0.255 is absolutely perfect match for /24 subnet.
BTW, there is a difference between traffic to the router itself (like in your example with login over SSH from the Ubuntu pc) and pass-through traffic. Could you test if from your Ubuntu pc in Vlan3 you can access some other hosts in Vlan1 except the router itself? BTW, just to be sure we are on the same page - all hosts in all VLANs should have their default gateways pointing to the respective Vlan-interface on the MSR, e.g. we need to be sure inter-VLAN traffic really passes through this router and not through some other device.