I have PPPoE Server running for my LAN users through Mikrotik (PPPoE Users IPs = 192.168.0.0/16), my Mikrotik router also provides DHCP for LAN users (LAN Users IPs = 172.16.0.0/16) however my DHCP Server only provides IP Address and Appropriate Subnet Mask to LAN users through DHCP (172.16.0.3/255.255.0.0). Now I want to Block Games Over the Network such as Counter Strike. I know that Counter Strike uses TCP 27015 but no matter I make filter rules it does not block Counter Strike over LAN. Basically I don't want my LAN users to make their own Counter STrike Game servers instead I will create one for them.

Show the rules you are using to try to block this.

Here are the Rules

Are the game servers for LAN users or outside users?

they are for the LAN users i.e. (172.16.0.0/16)

What I have in mind is that when LAN users make Counter Strike Server their network packets are not going through the Mikrotik may that is why Mikrotik is unable to block them Over LAN.

Assuming you are using a switch, this will not work. The traffic is not passing through the router therefore the router can't block it. You will have to get a switch with port isolation or use vlans to isolate ports.

What if I don't have Port Isolation Switch. is there any other way that all of the LAN traffic first passes through Mikrotik. I've actually seen someone did it but it was through Microsoft ISA Server 2004. If ISA Server can do it I think Mikrotik can do it too right?

I have PPPoE Server running for my LAN users through Mikrotik (PPPoE Users IPs = 192.168.0.0/16), my Mikrotik router also provides DHCP for LAN users (LAN Users IPs = 172.16.0.0/16) however my DHCP Server only provides IP Address and Appropriate Subnet Mask to LAN users through DHCP (172.16.0.3/255.255.0.0). Now I want to Block Games Over the Network such as Counter Strike. I know that Counter Strike uses TCP 27015 but no matter I make filter rules it does not block Counter Strike over LAN. Basically I don't want my LAN users to make their own Counter STrike Game servers instead I will create one for them.

If you want to isolate your clients , set up client isolation on the AP's/ OR Do Port isolation on the switch ports . Then no matter what settings user places on their PC, they will not be able to scan and find other hosts on the network.

If it's not possible for u get manageable switches, Then the very last you can do is to limit there access by create DHCP subnet of /32
Goto DHCP-server > Networks (Take properties of your subnet) > Set Netmask to 32.
This way user will get 255.255.255.255 subnet and it will prevent them from being able to directly access other users computers.

But Remember, It makes it a bit more difficult to scan using this trick, but it is easier to change IP and your MAC address as client have full control over there pc's. It just At it's best. it prevents normal/casual users, but there is nothing to prevent people that are determined to do so.

Also Place your Counter Strike Server behind Mikrotik's DMZ, this way only pppoe connected users will be able to Connect with your CS Server.

Use Firewall Filters rules then to allow/deny access to specific targets.

You mentioned you are using src-port=27000-27050, source ports are dynamic, they changem
use dst-port instead.

Is there any particular reason why you have to be the one to run the counterstrike server? It seems like a very quick way to breed hate and discontent to me and short of cutting off their network connections there will be ways around your attempts to block it.

Thanx Jahanzaib Bhai aap ka reply bohat helpful hai.

@ MCT
I am not mean. Actually the reason for blocking the Counter Strike over network is that players Over LAN makes too extensive use of Cheats and no matter how hard you try those arrogant cheaters just don't give up. My approach for having Only one Counter Strike Server will result in a Anti Cheat Server and even if some how some one manages to use Cheats they will be banned from the server for good (Until they submit his apology and stop using cheats) that way some day people will stop using cheats and we once again will have a peaceful LAN game

Is there any particular reason why you have to be the one to run the counterstrike server? It seems like a very quick way to breed hate and discontent to me and short of cutting off their network connections there will be ways around your attempts to block it.

I do agree with MCT, Don't force users to use only one counter strike server created by you.
Just make your server safe and secure with anti cheat addons, Make it good enhanced with multi addons like ADMINMOD , AMX MOD, scripts, MAP voting system, Exciting Maps, Also Specially PSYCHOSTATS Ranking System , Like the one below.
http://aacable.wordpress.com/2011/09/16 ... ng-system/
then advertise it properly, create tournaments, add lucky draws and some very little cut down in fee for top users, , So when users will get frustrate from other server's where cheating is common , they will definitely stick to your server because he will be sure that your server is fully protected and peaceful for playing , Do some competition bro,

Don't just get hard on users regarding CS or end user facilities, otherwise people will search other workaround to break your barriers.

Ahhhhh There are so many things you can do on your network beside just providing them internet only , Use your Brain