Add L2TP interface to bridge - how?

Bomber67 · February 12, 2009, 2:03pm

I have succeded setting up a VPN dial-in to an MT router from a Win XP client computer using L2TP/IPSec with PSK.
The client connects fine, gets an IP address in the same range as the LAN side of the Mikrotik router, and I’m able to ping from the client computer to computers in the LAN. So far so good.

But how do I manage to pass on broadcast traffic between the VPN client to the LAN and vice versa? I can see UDP broadcast to ports 137/138 (Netbios) arriving at the router, but I don’t know how to pass it on to the LAN computers. The LAN computers are all connected to a bridge containing ether2..ether5.

I thought I should be able to add the L2TP to this bridge as well, by specifying the bridge in the Bridge parameter of the PPP policy, but it never shows up.
Something is mentioned on the forum about enabling BCP on both sides of a PPP tunnel , but the far end of this connection is in Windows XP and I dunno what I can do there.

How do I add the L2TP interface to the bridge?

Or are there any other tricks that can be used to enable access to network browsing and shared printers/disk drives from the client?

This is the setup:

[admin@MT] > ppp secret export
# feb/12/2009 14:42:42 by RouterOS 3.20
# software id = 93B9-LTT
#
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    name=12345 password=12345 profile=L2TP-profile routes="" service=l2tp

[admin@MT] > ppp profile export
# feb/12/2009 14:42:48 by RouterOS 3.20
# software id = 93B9-LTT
#
/ppp profile
add bridge=bridge1 change-tcp-mss=default comment="" local-address=\
    192.168.1.150 name=L2TP-profile only-one=default remote-address=\
    192.168.1.200 use-compression=default use-encryption=default \
    use-vj-compression=default

[admin@MT] > interface pr
Flags: D - dynamic, X - disabled, R - running, S - slave
#     NAME                                                                                                                  TYPE             MTU 
0  R  ether1                                                                                                                ether            1500
1     ether2                                                                                                                ether            1500
2  R  ether3                                                                                                                ether            1500
3     ether4                                                                                                                ether            1500
4  R  ether5                                                                                                                ether            1500
5  R  bridge1                                                                                                               bridge           1500
6  R  pppoe-out1                                                                                                            pppoe-out        1480
7 DR  <l2tp-12345>           
                                                                                               l2tp-in          1400
[admin@MT] > interface bridge pr
Flags: X - disabled, R - running
0  R name="bridge1" mtu=1500 arp=proxy-arp mac-address=00:0C:42:2E:BD:01 protocol-mode=none priority=0x8000 auto-mac=yes
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

[admin@MT] > interface bridge port pr
Flags: X - disabled, I - inactive, D - dynamic
#    INTERFACE                                                BRIDGE                                                PRIORITY PATH-COST  HORIZON   
0 I  ether2                                                   bridge1                                               0x80     10         none     
1    ether3                                                   bridge1                                               0x80     10         none     
2 I  ether4                                                   bridge1                                               0x80     10         none     
3    ether5                                                   bridge1                                               0x80     10         none     

[admin@MT] > ip address pr
Flags: X - disabled, I - invalid, D - dynamic
#   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                 
0   192.168.1.1/24     192.168.1.0     192.168.1.255   bridge1                                                                                   
1 D XX.XXX.176.81/32   XX.XX.34.0      0.0.0.0         pppoe-out1                                                                                 
2 D 192.168.1.150/32   192.168.1.200   0.0.0.0         <l2tp-12345>                                                                               

[admin@MT] > ip route pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                                     DISTANCE INTERFACE                           
0 ADS  0.0.0.0/0                          reachable     88.88.34.0                                  1        pppoe-out1                           
1 ADC  XX.XX.34.0/32      XX.XX.176.81                                                             0        pppoe-out1                           
2 ADC  192.168.1.0/24     192.168.1.1                                                               0        bridge1                             
3 ADC  192.168.1.200/32   192.168.1.150                                                             0        <l2tp-12345>

mrz · February 12, 2009, 3:09pm

Something is mentioned on the forum about enabling BCP on both sides of a PPP tunnel , but the far end of this connection is in Windows XP and I dunno what I can do there.

How do I add the L2TP interface to the bridge?

That is true you need BCP enabled on both ends otherwise this feature will not work. I’m not sure if it is possible with windows machine.

Bomber67 · February 12, 2009, 4:31pm

Hmmm…not sure if that’s possible either. Anyway thanks for info!

Are there other ways around to pass L2TP broadcast traffic on to the LAN side bridge?

changeip · February 12, 2009, 4:41pm

yeah you can’t add an l2tp tunnel to a bridge unless there is a 1500 byte MTU I believe.

Can you turn on proxy-arp on the bridge1 interface ?

Sam

Bomber67 · February 12, 2009, 6:47pm

Yes, Proxy-ARP is enabled.

Can I specify 1500 bytes MTU manually for the L2TP connection?

changeip · February 12, 2009, 8:11pm

you can on MT 3.x, just change the MRRU to 1600 (has to be more than 1500 for overhead…) I have no idea if Windows XP (client) will deal with that properly or not.

Bomber67 · February 13, 2009, 9:08am

I found a way to change MTU for VPN connections by adding some registry settings, but no use - MTU of L2TP connection was still 1400.

If it is true that all it takes to be able to add the L2TP interface to the bridge, is succeding in rising the MTU to 1500 - then I guesss somebody here must have succeded in it?
A L2TP VPN connection from a WinXP client cannot be THAT odd?

Please, any other trick that can help me forward the broadcast traffic from the L2TP interface to the bridge so I can enable disk and printer sharing?

changeip · February 13, 2009, 4:48pm

Here is how I do it:

and then:

Not sure if it will work with a non-Mikrotik system however… I am using it all the time. In earlier versions it seemed like the bridge would stop forwarding traffic after a few minutes however. I have not retested in a while.

Sam

Bomber67 · February 13, 2009, 6:38pm

Thank you changeip!

If I understand you right you are doing a tunnel between 2 MT devices and not a login from WinXP like me?
It’s much easier when you have control over both sides.

So leaving MTU and MRU to default 1460 was ok?
I read somewhere that they had to be 1500 to be able to add the intf to the bridge?

I don’t thing I’m very far from succeeding, but not quite there yet.

Another issue is NAT traversal.
I have checked the NAT-T checkbox in the IPSec peer, but I’m not even able to traverse my MT boxes, it works only when I have a public IP at the XP computer.

At the time I’m doing double-NAT, i.e. Internet ---->MT w/NAT ---->MT w/NAT---->Client computer
Is that beyond what should be possibe to accomplish?

hilton · February 14, 2009, 8:52am

This may sound like an obvious question but why don’t you just use routing? Why the need for the bridge?

Bomber67 · February 14, 2009, 2:17pm

I’m not sure how to setup routes for the broadcast traffic.
Can you help me?

idelac3 · February 18, 2009, 11:24am

If you need it only for NetBIOS, eg. Network Neighborhood, than better set up WINS service on your network and configure WinXP hosts to use it. You can find WINS service on MS Windows Server products (eg. MS Windows 2000 Advanced Server), or in Samba package. Most Linux distributions have this package.

duvi · March 4, 2010, 2:34pm

Any news on this?

I’d like to use the native xp client, to connect with pptp/l2tp to a mikrotik router, and to get assigned to the lan bridge.
Even though everything is set up correctly, and the connection is up, the pptp client interface on the mikrotik does not get automatically added to the bridge, and neither can I add it manually. It does not show up in birdge/ports.

I know this works with ovpn, but I’d like to use windows native pptp/l2tp.

Chupaka · March 5, 2010, 6:54pm

have you got an open support ticket already? =)

duvi · March 5, 2010, 10:39pm

Nope, never done that before (:

changeip · March 5, 2010, 11:44pm

I dont think Windows can bridge an L2TP/PPTP tunnel… if you have two mikrotiks it works fine (have to set MRRU > 1500), but Windows can’t do that I believe. I am using this all the time on Mikrotik to Mikrotik links, but couldn’t make it work with Windows. Probably has to do with the MRRU / MTU. You could try setting your bridge to 1400 MTU and see if that helps or not…

duvi · March 6, 2010, 11:42am

I don’t need Windows to bridge the pptp connection. I want RouterOS to bridge it!

E.g.: bridge-lan should contain ether2 and pptp-ppp1 in the router.

changeip · March 6, 2010, 10:49pm

correct, but in order to bridge to ethernet you need the same MTU… which your not going to get with Windows unless you lower everything else. Windows doesnt support MRRU does it? Im saying the bridge port wont join until the MTUs match…

NetworkPro · January 27, 2012, 8:47am

It’s awesome that this is possible, thanks to MikroTik.

Now, How to reduce overhead? For small VoIP packets, the resultant encapsulated packet looks twice the size.

Help!

Chupaka · February 1, 2012, 11:40pm

have you tried IP → Packing?.. =)