We have some branches connected through Mikrotik PPTP
As others have suggested, you might read about PPTP and consider switching to wireguard:
https://en.wikipedia.org/wiki/Point-to- ... l#Security
we have disabled their Internet usage by disabling masquerade nat.
Disabling masquerade towards WAN is all-or-nothing and not really ideal to achive blocking direct internet access.
but we need to allow anydesk connection for remote support. anyone have idea?
I found this from anydesk website add exception for *.net.anydesk.com how can i do that?
Keep masquerade towards WAN enabled, but allow forwarding from LAN to WAN only for *.net.anydesk.com in the forward chain.
Add similar rules for everything else that should be possible.
If your branch site has access to the HQ only using PPTP tunneling, why using an external service like anydesk and nothing working inside your own network and not involving 3rd parties?