Is there a simple way to only allow remote VPN Client users access to

certain hosts on the private LAN?

Naturally, a 'source address filter' could be used for remote users
connect to their ISP with a static IP. However, the majority of remote

users get allocated a dynamic IP..

Any ideas on this one please..

The BM site in question consists of 3.6 and 3.7 servers.