Hi-
I've set up an RB450 as an internet router with 2 separate internal subnets:
eth 1 - internet
eth 2 - 192.168.0.0/24
eth 3 - 10.0.0.0/24

I've limited communication between the internal subnets via the firewall:
add action=accept chain=forward comment="" disabled=no dst-port=3389 \
in-interface="3Alt Internal" protocol=tcp src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no dst-port=1723 \
in-interface="3Alt Internal" protocol=tcp src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no in-interface=\
"3Alt Internal" protocol=gre src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no dst-address=\
192.168.0.1 in-interface="3Alt Internal" limit=1,5 protocol=icmp \
src-address=10.0.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=\
192.168.0.0/24 in-interface="3Alt Internal" src-address=10.0.0.0/24
add action=drop chain=input comment="" disabled=no dst-address=\
192.168.0.0/24 in-interface="3Alt Internal" src-address=10.0.0.0/24

Things work fairly well, except for the VPN - When I connect to a PPTP VPN server at 192.168.0.1, communication to the 192.168.0.0/24 subnet works (passes over the VPN) except for any communication to 192.168.0.1 other than VPN - that doesn't work.

My design goal was to only allow minimal access from 10.0.0.0 to 192.168.0.0, and require a connection to the existing VPN server for any more access. I get the feeling, though, that I'm hitting a wall as far as what my config can do - would there be a better way to configure?

You want to do something useless and wrong. Don't! Just write the goal here and people will tell you how to do it.

The PPTP server shouldn't logically reside on the same subnet that you're trying to tunnel to. Make an intermediate network, and assign a secondary NIC in that server to that network, then VPN to that secondary address. That way the physical machine can be on that tunnel network, but logically you can reach it separately.

MCB - The initial post was clear as mud. What I have is a small office with an internet connection. What I'm looking to do is have a separate subnet set up for wireless access and guests to be able to access the internet. I can't have a wireless AP on the main office subnet. I'm guessing that some valid users will want to be able to access the office network via wireless, so I'd like to set up access for things like VPN and RDP from the separate subnet to the main office subnet.

fewi - do you mean to put another nic in the server at 192.168.0.1 and physically connect it to the guest and wireless net?
*EDIT* Sorry, meaning, set up a 3rd subnet and connect that nic there? Would there be an easier way to config that wouldn't allow the 3rd subnet - it seems a little complicated.

*EDIT2*
I guess I accidentally brought up a 3rd option - configure the Mikrotik to block all communication from the guest and wireless net, add a second nic to my RDP/VPN server and physically attach to the guest and wireless net, but firewall all ports except RDP and VPN. More simple than having the intermediate subnet, but fairly secure.