I'm exited! That's a lot of help form all of you, thanks!
Time to let you know how it worked out.
A vlan capable switch would be the best option but we simply can't afford one right now. Even second hand switches are expensive and hard to find. Probably because of the location.
It would need to have 4 GB ports because of some large transfers and 10/100 is just too slow.
I chose robb's low cost solution in combination with the rules Javier proposed, and similar to what Marcus posted.
I have now implemented this on two subnets using separate interfaces and two switches, the very first rule in "firewall>packet filter>Filtering rules for internal networks" is:
Decision Deny - source 192.168.0.0/16 - destination 192.168.0.0/16 - service ! camaras - description deny subnets
Using a 16 bit subnet mask does kill all communication except for the "camaras" service, those are security cameras and they need to be available to everyone.
There is one minor issue however, I'm using transparent proxy so everything running on port 80 would still be accessible by everyone, as this appears of course to be coming from localhost.
To solve that I moved the management interfaces of the routers on "HTTPS" protocol, after that the firewall blocked them also.
One remaining web interface is a network printer without https option. That can be solved by using a strong password.
There is still some space in the server for additional network cards, but they would have to be PCI-E x1. I've seen some of those cards having up to 4 network ports, but if they are costly a vlan switch would still be the best option.
Cheers.