Well,the ER-PoE, doesn't have a vlan-aware switch-chip, if you create the vif's on the (parent) switch0 interface, these VLAN's will be applied on all the switchports (the eth interfaces that belong to the switch0 interface), while if you create the VLAN's on a single, routed, ethernet interface, theVLAN's will be only there. You can take a look here, for some hints, then, understood how it works, try something like this
configure set firewall group network-group PRIVATE_NETS network 192.168.0.0/16 set firewall group network-group PRIVATE_NETS network 172.16.0.0/12 set firewall group network-group PRIVATE_NETS network 10.0.0.0/8 set firewall modify balance rule 10 action modify set firewall modify balance rule 10 destination group network-group PRIVATE_NETS set load-balance group A interface eth0 set load-balance group B interface eth1 set firewall modify balance rule 10 modify table main set firewall modify balance rule 20 action modify set firewall modify balance rule 20 destination group address-group ADDRv4_eth0 set firewall modify balance rule 20 modify table main set firewall modify balance rule 30 action modify set firewall modify balance rule 30 destination group address-group ADDRv4_eth1 set firewall modify balance rule 30 modify table main set firewall modify balance rule 60 action modify set firewall modify balance rule 60 source address 1.2.3.0/24 set firewall modify balance rule 60 modify lb-group A set firewall modify balance rule 70 action modify set firewall modify balance rule 70 source address 5.6.7.0/24 set firewall modify balance rule 70 modify lb-group B commit
Of course, relace 1.2.3.0/24 and 5.6.7.0/24 with the correct source nework address, and remeber to apply the firewall modify balance ruleset on all the vif's, eg for switch0.10
configure set interfaces switch switch0 vif 10 firewall in modify balance commit sudo conntrac -F
Test, if ok, issue save (otherwise, a reboot will revert back the router to previous config)
Cheers,
jonatha