Hello. I have...

Place A - MikroTik:
lte1, public IP, active VPN server PPTP, VPN Secret user is (on screenshot for details)

Place B - Windows on WiFi my friend (without MikroTik):
wlan - 192.168.100.0/24

Before connection to VPN Server on "Place A" i am visit webpage "https://www.whatismyip.com/" where is show IP from my friend ISP provider.
After connect to VPN Server on "Place A" and I am visit webpage "https://www.whatismyip.com/" now but show IP as my Public IP on "Place A" side.

I want to advise what should I change in the Mikrotik settings so that after connecting to the VPN the connectivity of Place A is not used but the connectivity of the friend on the "Place B" side is used?

You should search for "split tunnel", this way you can choose whether traffic should be routed through the gateway or over the vpn.

Whether to use VPN as default gateway is client-side config. On Windows it's somewhere in VPN connection's IPv4 settings as advanced config, called "use gateway of remote subnet" or something like that. Btw, PPTP is terribly outdated.

If you want your windows client not to use the VPN connection to access the internet, you should unselect on the VPN adapter that is created, under the TCP/IPv4 advanced, the option use default gateway on remote network, that for some reason is by default enabled...

Whether to use VPN as default gateway is client-side config. On Windows it's somewhere in VPN connection's IPv4 settings as advanced config, called "use gateway of remote subnet" or something like that. Btw, PPTP is terribly outdated.

Yes. I know about this solution, but I can't tell this VPN client this guide and what they connect so they connect from different computers and also mobile phones (it can't be turned off there). And the data limit is very limited, so it must not happen to me in any case that someone forgets to set it, otherwise no one will be able to connect for a whole month.

I'm from the Czech Republic and the operators here ask for 13 times more than the data they charge in the surrounding countries, so internet connection is a very expensive item (mobile internet only). Public IP is considered a luxury here.. Although we are almost in the middle of Europe. I don't know why it works like this for many years.

Use the firewall to allow access to only specific resources of your network, from traffic that is coming from your VPN connection and drop all the rest...

Use the firewall to allow access to only specific resources of your network, from traffic that is coming from your VPN connection and drop all the rest...

I already have that. I built a firewall and limited what I could. But this is a really big problem with that VPN, so I'm working on it now. It is a pity that the packets cannot be compressed at the router level or with the help of MikroTik Cloud and its DDNS some service that would be able to compress the traffic and then decompress it again (between MT and the Cloud domain sn.mynetname.net).

IP Packing (IP - Packing) is not possible for LTE connections :/ (on side of mobile operators)

Whether to use VPN as default gateway is client-side config. On Windows it's somewhere in VPN connection's IPv4 settings as advanced config, called "use gateway of remote subnet" or something like that. Btw, PPTP is terribly outdated.

New VPN protocol L2TP is supportted split tunnel nativelly?

I use mainly SSTP-VPN with the Windows Internal Client, in some cases L2TP/IPsec (Apple can't run STTP without 3 Party products).
In both of them, you can use the split tunnel option on Windows.
But if you want to block internet traffic on your router, I don't know a other way to block it in the firewall.
Perhaps you could utilize the "Address List" field in the ppp-profile to create a List of all VPN-users and block the traffic to the internet for this list.

Use the firewall to allow access to only specific resources of your network, from traffic that is coming from your VPN connection and drop all the rest...

I already have that. I built a firewall and limited what I could. But this is a really big problem with that VPN, so I'm working on it now.

What do you mean?
You can configure the user profile so that the users be automatically added to a specific address list.
Then through that list you can allow or drop whatever you wish..
I think its really easy...

You could as well use the incoming-filter parameter on the profile, and create a custom chain for the ppp users...

Other than that with L2TP/IPsec you can't push routes to the client.. That is why you have to manually disable the parameter mentioned earlier...

I'm from the Czech Republic and the operators here ask for 13 times more than the data they charge in the surrounding countries, so internet connection is a very expensive item (mobile internet only).

You know the term "specific market", right?

But jokes aside, you can easily block unwanted traffic from VPN clients using firewall. Allow access to internal network, block the rest. It's not great, because client will still try to use VPN to access internet, but at least the amount of transfered data will be minimal (only initial connection attempts).

If you want VPN where this is not a problem, you can try Wireguard. Downside is that systems don't have native clients and they need to be installed first, but they should exist for almost everything. And what should go to tunnel is part of config, so nothing else will go there.

If you want VPN where this is not a problem, you can try Wireguard

Nice idea, you could export the configuration needed, and then the clients can download wireguard, import the configuration and activate the connection...
However you need ROS v7 for that ...

I'm from the Czech Republic and the operators here ask for 13 times more than the data they charge in the surrounding countries, so internet connection is a very expensive item (mobile internet only). Public IP is considered a luxury here.. Although we are almost in the middle of Europe. I don't know why it works like this for many years.

Well there should be hope: follow Starlink, and preorder if you want to be served early. Sounds expensive, but there is NO datacap (really unlimited volume) at 150Mbps-300Mbps download.
https://www.expats.cz/czech-news/articl ... h-republic

@bpwl: I wouldn't want to travel with Starlink dish on my back. The problem is with mobile internet (for cellphones and such). In theory, there are three operators competing with each other, but in reality not so much. It's slowly getting better, they now have also unlimited data plans, and in a way not even that much expensive. It's still two or three times the cost of average fixed connection, and that's for one device, so not great if every family members wants own phone (they of course do). But the mobility has some value, so it may be worth it for someone who really needs is. Most annoying is lack of cheap options if you need it only for light use. Example from one operator, unlimited = X, 30GB = 0.65 X, 10 GB = 0.4 X, 2 GB = 0.2 X. Meh. My 500/200 FTTH at home costs 0.45 X, I'm not paying the same for funny 10GB.

Sorry, different reference case, did set me on the wrong leg. Didn't see that requirement for OP. Struggling 2 years with connectivity in the French Alpes, with geolocated satellites (700ms RTD), long ADSL line (at 1 Mbps), switched till last year to 3 SXT LTE kits with fixed 4G plans (200GB/month at 40€, very cheap plans, but fully congested in the important summer months and was down 3 weeks/month). FTTH was announced for 2021, but I estimate it will be 2023 if it ever comes. 'Unlimited' is the name of the plans, but the fair-use policy cuts the speed down to 256KB/s. Mid last year 1 Starlink dishy replaced all of this (but the 4G is still there for backup and for filling the beta blackouts).

How to tell Mobile devices that a wifi network actually is a "metered" network (4G with expensive volume costs) with MT AP ?

Starlink only works in the registered cell, it's not 'mobile'.

Mobiile 4G is solved with EU roaming plan, as the home plan includes the international roaming cost for double the subscription value. (Intl EU roaming cost is 3€/GB in 2021.) Most have an already paied for plan of 40€, giving 25GB roaming quota. (They have an 'Unlimited' LTE plan for their own country)

On the VPN problem, normally it is the VPN client software that selects what goes over the VPN and what is local internet access. The basic VPN software of the devices does not give that possibility, or at least is not to be remotely configured. VPN client software is an important part of the "VPN nomade user" solution. (I used Fortigate for many nomades in many countries. But indeed this required a specific VPN client (Forticlient VPN) to be installed.) Without control on the VPN client, one can only reject all unwanted traffic at the VPN server. Switching VPN on or off, was not usuable for many applications, they required a combination of HQ services and Internet services.

Depending on the budget and number of sporadic users, one could just give every VPN user a little router, that will do the VPN connection, and be smart to send only the necessary information over the VPN. With a mAP Lite that would be easy. Set up as station & AP, with all the VPN built in. The "station" would connect to any available wifi network, all client devices would connect to the provided AP. Shielded from the host wifi network at will. Ethernet port if needed. Powered by the USB of laptop, or powerbank, or mains.

getting cheaper than Belgium .... .... not surprised.
But telecom (certainly if you manage to get the BOX subscription) and electricity is cheap in France!
With dishy, swapped 2 of the 3 BOX plans for "Internet partout", 3€/day only days when used