I have PPPoE Server running for my LAN users through Mikrotik (PPPoE Users IPs = 192.168.0.0/16), my Mikrotik router also provides DHCP for LAN users (LAN Users IPs = 172.16.0.0/16) however my DHCP Server only provides IP Address and Appropriate Subnet Mask to LAN users through DHCP (172.16.0.3/255.255.0.0). Now I want to Block Games Over the Network such as Counter Strike. I know that Counter Strike uses TCP 27015 but no matter I make filter rules it does not block Counter Strike over LAN. Basically I don't want my LAN users to make their own Counter STrike Game servers instead I will create one for them.
If you want to isolate your clients , set up client isolation on the AP's/ OR Do Port isolation on the switch ports . Then no matter what settings user places on their PC, they will not be able to scan and find other hosts on the network.
If it's not possible for u get manageable switches, Then the very last you can do is to limit there access by create DHCP subnet of /32
Goto DHCP-server > Networks (Take properties of your subnet) > Set Netmask to 32.
This way user will get 255.255.255.255 subnet and it will prevent them from being able to directly access other users computers.
But Remember, It makes it a bit more difficult to scan using this trick, but it is easier to change IP and your MAC address as client have full control over there pc's. It just At it's best. it prevents normal/casual users, but there is nothing to prevent people that are determined to do so.
Also Place your Counter Strike Server behind Mikrotik's DMZ, this way only pppoe connected users will be able to Connect with your CS Server.
Use Firewall Filters rules then to allow/deny access to specific targets.
You mentioned you are using src-port=27000-27050, source ports are dynamic, they changem
use dst-port instead.