I want to know that I want to block my users to access our tower equipment. I have created different VLANs for this purpose but still users can ping or access the equipment. For example I have added the IP 192.168.18.xx/24 to my physical interface which is connected with Tower Switch and I had created a separate VLAN name PPPOE under that physical Interface with PPPOE-POOL ips. Users can ping that pool 192.168.18.xx/24 and also can open the Rocket M5 or any other device on that tower. I also want to allow my office DHCP Server IPs to access that pool 192.168.18.xx/24
...or you have to completely change the philosophy of your firewall to "forbid everything that is not explicitly permitted". It is a more secure one, because if you forget to permit some traffic in this setup, your legal users will quickly let you know about that. If you stick with "permit everything that is not explicitly forbidden" and you forget to forbid something, your illegal users will never let you know.
A firewall built according to the former principle looks as follows: connection-state=established,related,untracked action=accept
connection-state=invalid action=drop
(only connection-state=new packets make it up to this place) ...condition list 1... action=accept
...condition list N... action=accept
action=drop
The firewall rules provided in the SOHO models of Mikrotik routers unite the last two rules above into a single one, saying "drop everything except what comes from LAN".
Thanks @erlinden, this idea worked for me. I made the address list of my PPPOE users IPs and Tower Equipment IPs and then made a Firewall Rule with Forward chain and Action Drop and added those Address lists to the rule and its done.