/ip firewall filter add chain=forward src-address=192.168.168.0/25 action=accept
/ip firewall filter add chain=forward src-address=192.168.168.128/26 protocol=tcp dst-port=1723 action=accept (ips from 192.168.168.128-191)
/ip firewall filter add chain=forward src-address=192.168.168.128/26 action=drop
/ip firewall filter add chain=forward src-address=192.168.168.192/26 action=drop (blocks ips from 192.168.168.192-254)
You’ll need to add in an accept for gre in there too on the pptp range
this is to accept GRE for those fortunate enough that are allowed to use pptp tunnels.
/ip firewall filter add chain=forward src-address=192.168.168.128/26 protocol=gre action=accept
/ip firewall filter add chain=forward src-address=192.168.168.128/26 protocol=tcp dst-port=1723 action=accept
/ip firewall filter add chain=forward src-address=192.168.168.128/26 protocol=gre action=accept should go before
/ip firewall filter add chain=forward src-address=192.168.168.128/26 action=drop