I have a setup where there are some pppoe and some static-ip users, static ip users use some 10.x.x.x ip adresses while pppoe users use 192.168.x.x, static ip adresses are shaped on cbq directly on linux nat gateway, while 192.168.x.x is shaped on mikrotik which is between linux gateway and wireless users. Well, the problem is if some wireless user give himself static adress from 192.168.x.x network, he can go directly to the internet without being shaped.
SO THE QUESTION IS
How can I make some firewall rules or something to permit going through mikrotik only those 192.168.x.x addresses which are given from ip pool over radius?
On your MT (PPPoE server) allow only traffic from PPPoE interfaces to your Linux GW.
\
Mogli smo mozda i na nasem jeziku Dusane, zar ne?! 
Well, the problem is those addresses ( from pppoe users) are given from ip pool dynamically, so I’d like advice about how to dynamically using firewall or some other tool, allow pass of only those 192.168.x.x addresses that are currently logged in on radius.
Verovatno bi ostatak foruma i moderatori imali nesto protiv da sam postovao na nasem jeziku
I think this is more secure if you allow only PPPoE interfaces to pass. But if you insist, than I suppouse you have to use mangle rule add to src(dst)-address list and then use some firewall rule for that list.
http://www.mikrotik.com/docs/ros/2.9/ip/mangle
I’m not sure I understood you correctly about that, what do you mean by PPPoE interfaces? IP addresses of pppoe clients, or?
When PPPoE client connects, PPPoE server create a new interface for that user (i.e. <pppoe-some_username>). You can make a rule to drop all packages from static interfaces (i.e. ethernet, wlan) who are trying to get outside.
Wireless and ethernet interfaces are bridged, and there goes those two subnets 10.x.x.x and 192.168.x.x , 10.x.x.x addresses are regulated at linux gw with iptables and stuff. While 192.168.x.x is completely allowed to goes through iptables and users are authenticated at radius. So I guess by blocking interfaces I will prevent 10.x.x.x users to get to the internet?
Then block everything except 10.x.x.x on bridge interface. If this is not sutable then try with those lists I mention before.
You did confused me with your configuration you know 
Why bridgein… …nevere mind… you know why…
0 10.0.0.104/24 10.0.0.0 10.255.255.255 bridge1
1 192.168.5.1/24 192.168.5.0 192.168.5.255 bridge1
Both ip addresses are attached on bridge1 interface, so if I block everything besides the 10.0.0.x I guess I’ll block 192.168.5.x too. I don’t know wheter pppoe users (192.168.x.x) would be able to access internet if I remove 192.168.5.x from bridge1 interface and to attach that ip address to wireless interface.