I assume there is a reason why you are using the legacy firmware?
Firewall can be used in your case.
By default, both wired LAN and WiFi are in the same LAN zone. The same applies to both mobile interfaces - both are in the WAN zone.
So first, you need to separate the LAN into distinct zones. There are a couple of ways to achieve this. I would suggest taking a look at VLANs. We have a Wiki article here that describes how to manage communications between VLANs. The same principles can be applied to your case. VLAN configuration examples can be found here.
So when you have VLAN configured on your LAN ports, then you can separate mob1s2a1 from the WAN. Edit and remove the mob1s2a1 (SIM2) interface from the WAN zone. Created a new mobile2 zone for mob1s2a1 (where mob1s2a1 is in covered networks). After that, for the VLAN zone, allow routing only to the WAN zone (where wired WAN and mob1s1a1 (SIM1) interfaces are). For your normal LAN zone, where your WiFi network is, allow routing to both zones, WAN and the new mobile2 zone. This way, the VLAN network will only be able to access the internet via wired wan and mob1s1a1, but the devices in the WiFi zone will be able to access wired WAN, mob1s1a1, and mob1s2a1.
One of the alternatives to VLANs would be to create a new WiFi instance (SSID), put it into a separate (new) network, then allow it to access WAN and mobile2 zones, while limiting LAN zone to only WAN.