Hi everyone,
What would be a good (and preferably easy) way of stopping a pptp/lt2p vpn client who is connected to the router from being able to access the routers internet connection?
I want them to have access to the local lan only.
Currently the vpn client gets an IP in a different range from the local lan.
I am running routeros 6.11 on a RB750.

Thanx in advance.

Either through firewall or NAT rule changes, you could configure that subnet with explicit allow destination list and then have a deny all to block access to anything not in the approved destination list...or you could look at your NAT policy and have it actually specify the allowed source subnets for masquerade access to the Internet.

Ok, either options sounds good, could you detail how to do the config for either?
Thanx much.

Easiest option is to edit the existing masquerade tool under Firewall --> NAT. Edit it to add a source IP address subnet of your network that you want to have access to the internet, so if you are using 192.168.1.0/24 you would put that into the Src Address field. This will only allow that address to have NAT to the Internet, by default any address has access. If you have other subnets behind your router (e.g. using VLANs) you could look at using a address lists to include all network segments you want to give Internet access to.

Without seeing your configuration it is hard to be specific.