PPPoE happens on layer2, this means you don't need anything else at this interface allowed and it still will work after authentication. If you only want users to be able to pass through your firewall after they connected to PPPoE delete all rules at the Interface you run PPPoE on and disable the DHCP-Server for this interface.
how?
Let's say you run the PPPoE-Server at OPT1, delete all rules for OPT1 and don't set up a DHCP-Server for this interface. Add pass-rules for your PPPoE Interface. Done.