Hi there, we supply internet service to condo by pppoe. Recently we received complaints from users saying that they having issue on their company vpn Zscaler or Pulse secure vpn, their vpn client is connected but they cannot access to their company network and not internet access at all.
My network topology is very simple: Mikrotik BRAS > GPON OLT > ONT; My internet source is we subscribed a residential broadband with dynamic public ip from another ISP and use it as WAN of Mikrotik BRAS. The following is my mikrotik config:

/interface vlan
add interface="To OLT GPON-SFP+1" name=DataVlan100 vlan-id=100
add interface=sfp3 name=vlan500 vlan-id=500
/ip pool
add name="Data DHCP Pool Vlan 100" ranges=10.1.100.2-10.1.100.254
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.1.100.1 name="Data ProfileVlan 100" only-one=yes remote-address="Data DHCP Pool Vlan 100"
/interface pppoe-client
add disabled=no interface=vlan500 max-mru=1492 max-mtu=1492 name=pppoe-out-ISP profile=default user=ilovemikrotik
/interface pppoe-server server
add authentication=pap default-profile=Def-Prof disabled=no interface=DataVlan100 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes service-name="CBRAS PPPoE_Data"
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out-ISP src-address-list=10.1.100.0/24
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out-ISP

Has anyone encountered the similar issue, or any mikrotik master out there can advise?