Mikrotik L2TP VPN IP Public Port Forward

RouterOS General
1

Hello,

I am very new to Mikrotik, not much experience here.

Please see the picture first!

https://imgur.com/a/OFTV68D

We live in a very remote place where LTE and satellite internet are the only internet source available. We need to access web server from outside internet and of course the internet provider mentioned earlier doesn’t have any public IP address. We found a vendor who is renting out public IP address and deliver it using either L2TP or SSTP.

We configure L2TP in our mikrotik, it is connected and getting public IP address. However, we have no idea on how to port forward to web server which on LAN 192.168.10.10/24

Ideally, client access from outside will be using public IP and the rest of default traffic will be going out using LTE internet

How can I accomplish that? I have very limited experience here so need step by step instruction in order to accomplish it.

Thank you
Mikrotik Port Forward.png

2

It’s simple, it’s like regular dual-WAN config. You can forward ports as usual and you just need to make sure that if request came from tunnel, response must go back the same way.

Minimal config for that is new default route in separate routing table:

/ip route
add dst-address=0.0.0.0/0 gateway=<IP address on the remote side of VPN tunnel> routing-mark=vpn

Then mark new connections coming from tunnel:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=<L2TP interface> new-connection-mark=from-vpn

And finally mark routing for responses:

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=from-vpn in-interface=<LAN interface> new-routing-mark=vpn
3

Tried and didn’t work. I can’t ping 2nd Public IP from internet.

When you do this
/ip route
add dst-address=0.0.0.0/0 gateway= routing-mark=vpn

Which IP should I put for gateway? Because when I dial L2TP, I am getting 1.0.0.1 as the remote address when it is connected.

If this is supposed to work, how can I allow ping to 2nd IP?

4

I forgot one rule:

/ip firewall mangle
add action=mark-routing chain=output connection-mark=from-vpn new-routing-mark=vpn

And yes, gateway should be the address on their side. If it’s really 1.0.0.1, then on one hand it’s completely wrong, because it’s public address that doesn’t belong to them, but if it’s there, it’s what you should use.

5

Tried adding this one

/ip firewall mangle
add action=mark-routing chain=output connection-mark=from-vpn new-routing-mark=vpn

Still doesn’t work.


And yes, gateway should be the address on their side. If it’s really 1.0.0.1, then on one hand it’s completely wrong, because it’s public address that doesn’t belong to them, but if it’s there, it’s what you should use.

The L2TP works if I am using TP-Link WR840N Router to dial out and also notice the default gateway is also 1.0.0.1 on TP-Link router, so I know 1.0.0.1 should be working.

The Public IP is /32 for instance 129.129.129.10/32 and gateway could be something totally different like 55.56.57.51

I don’t know why they have that weird IP Public, but that’s how their network design. Even the IP is /32 and gateway is not same subnet as the IP, the IP is still route-able to internet.

6

Then try some simple experiments. Make sure that incoming traffic to 129.129.129.10 works correctly. Add logging rule:

/ip firewall mangle
add action=log chain=prerouting dst-address=129.129.129.10 protocol=icmp

Then ping 129.129.129.10 from outside and you should see it logged. Similarly, you can log responses:

/ip firewall mangle
add action=log chain=postrouting src-address=129.129.129.10 protocol=icmp

You can also test if gateway 1.0.0.1 is really ok, add simple route without any routing marks to one selected address:

/ip route
add dst-address=8.8.8.8/32 gateway=1.0.0.1

And then directly on router try traceroute to it and see where it goes:

/tool traceroute address=8.8.8.8

It’s also possible that L2TP interface (intead of IP address) would work as gateway, but I’m not completely sure right now.

7

/ip firewall mangle
add action=log chain=prerouting dst-address=129.129.129.10 protocol=icmp

No log appear on mangle (0 B)

Tried this one too

/ip route
add dst-address=8.8.8.8/32 gateway=1.0.0.1

And this one

/tool traceroute address=8.8.8.8

Can’t ping, request time out

8

Ok, stupid question, how much are you sure that your new public address does anything at all? If you use Tools->Torch on L2TP interface, what do you see there? Any traffic to or from 129.129.129.10?

9

how much are you sure that your new public address does anything at all?

It is working when I am using my TP-Link router WR840N and dial L2TP from there. It gets the public IP and I can get out to internet


If you use Tools->Torch on L2TP interface, what do you see there? Any traffic to or from 129.129.129.10?

I only see inquiry DNS for 8.8.8.8

10

You now have L2TP client with add-default-route=no, right? Can you test if it works when you change it to add-default-route=yes? It will route everything through VPN, but you’ll see if it works or not. If it does, you can switch it back.

I tried a quick test and L2TP interface works as gateway, so you don’t need to deal with IP address as gateway and you can use:

/ip route
add dst-address=0.0.0.0/0 gateway=<l2tp interface> routing-mark=vpn

You can then test it with e.g.:

/tool traceroute 8.8.8.8 routing-table=vpn
11

/ip route
add dst-address=0.0.0.0/0 gateway= routing-mark=vpn

Tried this one too and doesn’t work


Can you test if it works when you change it to add-default-route=yes? It will route everything through VPN, but you’ll see if it works or not. If it does, you can switch it back.

Doesn’t work too

12

Then you can try to export your config:

/export hide-sensitive file=myconfig

and paste content of resulting myconfig.rsc here in code tags. And hopefully there will be something wrong that can be fixed.

13

/ip address
add address=1.1.1.115/24 interface=WAN network=1.1.1.0
/interface l2tp-client
add add-default-route=yes connect-to=xxx.com disabled=no max-mru=1500 max-mtu=1500 name=l2tp-out1 password=x user=x
/ip route
add distance=2 gateway=1.1.1.1
it works very well
please let me know if I helped

14

Hey,
What have you tried until now?

There are some missing pieces to understand the technical issue.
Who is behind the Mikrotik device?
What are the routes on the Mikrotik device?

/ip route print

Might help to understand.

What you technically need to do is add a dnat rule on the l2tp\sstp interface with the local address and the corresponding firewall rules in the filter table.
I cannot assume what is the technical setup regarding what is in the Mikrotik device.
If you would share more info, maybe via a supout.rif or other output from the device me or others might be able to assist you

And as a side note, a L2TP is a tunnel and should have /32 address, the Gateway for such a device is the device itself.
With the right settings you don’t need to add anything else then configuring the tunnel and the DHCP client properly.
(Assuming the TP-Link was good enough for you)

Example firewall rules:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.10
/ip firewall filter
add action=accept chain=forward comment="Accept ESTABLISH,RELATED" connection-state=established,related
add action=drop chain=forward comment="Drop INVALID" connection-state=invalid
add action=accept chain=forward comment="Accept NEW From LAN" connection-state=new in-interface-list=LAN
add action=accept chain=forward comment="ACCEPT DNAT FROM WAN" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP New From WAN" connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow ESTABLISHED Related" connection-state=established,related
add action=accept chain=input comment="ipsec policy matcher" ipsec-policy=in,ipsec
add action=accept chain=input comment="Accept ICMP on WAN" connection-state=new in-interface-list=WAN protocol=icmp
add action=drop chain=input connection-state=new in-interface-list=WAN

Since there was an example of a TP-Link working then it should be working the same on the Mikrotik device.
It’s not a DUAL-WAN scenario in the TP-Link since it’s converting the current default GW to the l2tp one.
In Mikrotik the only main issue with this L2TP connection is that it will not fetch the published DNS servers.

Example for my setup L2TP:

/interface l2tp-client
add add-default-route=yes allow=pap,chap allow-fast-path=yes comment=ISP1 connect-to=isp-host.net.il default-route-distance=5 name=l2tp-out1 password=test user=test1
/ip dhcp-client
add add-default-route=yes default-route-distance=20 dhcp-options=hostname,clientid disabled=yes interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip dns
set allow-remote-requests=yes servers=192.168.1.254,8.8.8.8

To verify if FastPath or RouteCache is the issue you can set these to no:

/ip settings
set allow-fast-path=no route-cache=no

Let me know if some of this helps you.