block all trafic in pptp connection except rdp

Hello
I have created a pptp server for VPN connections, working perfectly
I have created the VPN with an IP range different from the local network so that I can block everything except the RDP with the firewall
The problem is that I do not know how to create the rules that only apply to VPN connections. I have created 2 rules, but no work
this is my configuration (in bold the rules that should cover all the traffic in the VPN except the RDP)

/ip pool
add name=dhcp ranges=192.168.150.30-192.168.150.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip address
add address=192.168.150.254/24 comment=defconf interface=ether2-master network=192.168.150.0
add address=192.168.160.254/24 interface=VPN_Bridge network=192.168.160.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.150.0/24 comment=defconf gateway=192.168.150.254 netmask=24
add address=192.168.160.0/24 gateway=192.168.160.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“PUERTO VPN 1723” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“PUERTO GRE VPN” dst-port=47 protocol=tcp
add action=accept chain=forward comment=“permitir solo RDP VIA VPN” dst-port=3389 in-interface=VPN_Bridge protocol=tcp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward in-interface=VPN_Bridge
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=31000 log=yes protocol=tcp to-addresses=192.168.150.240 to-ports=3389

Can anyone help me solve this problem with the firewall and pptp connections?

I’m not sure how the VPN bridge looks like with PPTP, but as you say you have dedicated an IP subnet to the VPN clients, try to replace in-interface=VPN_Bridge by src-address=192.168.160.0/24 in both your rules.

Hi sindy
Thanks for the solution, I had not thought about creating the rules by IP.
I have modified the rules so that users who connect by VPN do not have access to the LAN except the 3389, now it works, the RDP responds but the server resources can not be seen

As no one more knowledgeable about the topic kicks in: I don’t understand what you mean exactly by “RDP responds but the server resources cannot be seen”, however the internet is full of doubt whether RDP uses only TCP or also UDP. While it seems that TCP-only is a fallback variant whereas use of both these protocols is the preferred one, I’ve heard of some issues if UDP was blocked. So try to permit also UDP in your rule (the port number is the same for both protocols) and see if it helps.