Hello
I followed a few guides in youtube and online to setup a VPN using L2TP.
Please see my screenshot with the current setup.
The problem is, i am able to connect from a remote location, but i am not able
to see the other LAN devices on the network.
Just for testing, i disabled all firewall rules and tried to ping devices to no avail.
I notice the remote client gets a different network mask than the local network as shown here:
In the remote device connected via l2tp,(“thebox”) add a route 10.0.0.0/8 to use 10.0.0.1 gateway. I would bet that you have it set to not use the l2tp server as default gateway? In which case you will need to add a route. It should be able to ping and/or telnet/ssh into 10.0.0.1 (depending what services you have enabled on the mikrotik device)
Unless you want it to share broadcast / l2 traffic, in which point I believe you will need to specify which bridge to connect it to in /ppp profile.
In your client routing table, if it has the vpn as the default gateway it should have something similar to this, where 192.168.55.254 is my vpn local address. See how the metric has changed to prefer the vpn for default gateway vs local, which in my case is 192.168.88.1.
If you add the route to the client (10.0.0.0/8) it should look like this, and then you have a route to the 10.0.0.0/8 devices local to that router.
Same issue.
I tried a few more work arounds on the server playing with the bridge and IPs within the (UNEVEN and DISCONNECTED between each other) configuration tabs on the Mikrotik to no avail.
Im already frustrated trying to setup this thing, absolutely unfriendly.
If this fails i will need to try setting up openvpn instead, but the WAN ip is dynamic and i assume i need a static IP to keep
the certificate in place right?
I have another mikrotik at home, i will setup a L2pt connection and test there to see if there is any issues, maybe this is the way Mikrotik works with this type of connection? Can you guys test and see what happens on your routers?
Thank you
Random videos and blogs found on the internet are often outdated, inaccurate, not optimal, or just wrong.
There are no native layer 2 / ethernet VPNs available in Windows, PPP-like VPNs (L2TP, SSTP, PPTP) use point-to-point connections with a /32 IP at each end of the link, they are never part of a larger broadcast domain. If you are using VPN client addresses which overlap with a subnet attached to an ethernet interface you have to use proxy-arp so the Mikrotik replies to ARP requests from local ethernet connected devices on behalf of the remote VPN client.
Screenshots are rarely helpful, post the output of /export hide-sensitive in a code block (the icon above the text entry box in the forum)
Because i exhausted all the options i could think on the mikrotik tabs and nothing works, and another member suggested trying that too so i gave it a shot.
This is Windows 10.. i downloaded a VM and it is in vanilla state
Thanks for the suggestions, the other options mentioned are way out of my knowledge and dont make sense to me that there are a zillion
videos showing the process which is rather simple, but in my case it does not work, showing proof. bad luck me,
I am setting up the openvpn option now.. creating certificates, importing on the client on specific program files directories and tricks… a mess to establish a simple client server connection..
In the PPP profile, put the local address as an arbitrary non-used ip range IE 192.168.255.254, and for the remote address make an /ip pool in the same subnet. Then in your PPP clients leave “use default gateway on remote network” enabled, and now you can get to the subnets available to the router.
I have 12 or so routers set for l2tp access this way with a different subnet for the ppp connection, and it works great.
Its not a bridged l2 connection as tdw said is not possible. (this I havent explored, but I believe him)
You have to make sure your firewall rules allow this network range for the forward chain to get to your local subnets, and allow it on the input if you would also like to get into the router from the vpn connection.
If you disable “use default gateway on remote network” on the client machine, you will need to add static routes pointing to the 192.168.255.254 (or your desired ppp local address) gateway address in order for the client to know which gateway to forward to for the remote subnet.
Ok i saw some comments of people having the same issue as i do, im not alone.
One solution for everyone was to use proxy-arp as you mentioned so i did this:
Result: Worked for the other people but here i am still having the same problem. But i feel i may be getting close to the solution.
Here is my export with the code..
Both the L2tp and openvpn are enabled.. i havent tested the open VPN connection yet but looking at the comments of other people, it does not matter, i need to
solve that proxy-arp issue so it seems…
[*]
[admin@MikroTik] > /export hide-sensitive
# jun/05/2021 18:19:03 by RouterOS 6.48.3
# software id = W0PA-KWSM
#
# model = CRS109-8G-1S-2HnD
# serial number = D54E0DXXXXX
/interface bridge
add arp=proxy-arp name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge ssid=NCStudio wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.244
add name=l2tppool1 ranges=10.0.0.245-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=8.8.8.8 local-address=10.0.0.1 name=vpn-prof remote-address=l2tppool1
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=10.0.0.1 remote-address=l2tppool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 fast-leave=yes interface=*D
/interface l2tp-server server
set default-profile=vpn-prof enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=10.0.0.1/8 interface=bridge1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10h10m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=10.0.0.0/8 gateway=10.0.0.1 netmask=8
/ip firewall address-list
add address=27.116.56.0/22 comment=AFGHANISTAN list=CountryIPBlocks
A ZILLION BLOCKED COUNTRIES HERE
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add action=drop chain=forward comment="Drop all traffic to-from addresses on \\\"CountryIPBlocks\\\" address list" \
dst-address-list=CountryIPBlocks
add action=accept chain=forward comment="Allow established connections through router" connection-state=established
add action=accept chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=\
new in-interface=ether1
add action=drop chain=forward comment="Drop all other connections through the router" disabled=yes
add action=drop chain=input comment="Drop all traffic from addresses on \"CountryIPBlocks\" address list" \
src-address-list=CountryIPBlocks
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface=ether1
add action=accept chain=input comment=\
"Allow established connections to the router, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment=\
"Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=\
related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
add action=accept chain=forward comment="Test OVPN filter rule" in-interface=all-ppp out-interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.1 name=ncvpn profile=vpn-prof remote-address=10.0.0.251 routes=10.0.0.0/8 service=l2tp
add local-address=10.0.0.1 name=vpnancy profile=vpn-prof remote-address=10.0.0.240 service=ovpn
/system clock
set time-zone-name=America/New_York
/ip firewall filter
add action=accept chain=forward comment=“Allow new connections through router coming in LAN interface” connection-state=
new in-interface=ether1
Looking at your firewall config, ether1 is your WAN, and in that rule you’re allowing all new forward connections from your WAN, even though your comment says its LAN
You will need to add
add action=accept chain=forward comment=“Allow new connections through router coming in PPP interface” src-address-list=“your_ppp_list_name_here”
With a list that includes your ppp pool ip subnet.
And you will need to add an input chain also, if you want access to the router.
You also have your input chain accept rule set to your WAN physical port
add action=accept chain=input comment=“Allow everything from the LAN interface to the router” in-interface=ether1
Im also unsure if you are actually using this subnet;
Axotic, In a firewall filter, policies are executed in a top-down order. You start with “input” and do not “drop” the first.
I will copy the working filter rules that include both L2TP and PPTP. The last filter roll is always Forward drop-All, not “accept”. To access internal network devices we install Brigde interface “proxy-arp”. Use the RAW section to block Country IP. If you need to block DNS 53port, we also use the RAW section.
Thank you guys for the tips and help.
I am watching more articles trying to learn and hopefully be able to implement some basic Mikrotik setups safely.
I created the firewall rules using this site: https://mikrotikconfig.com/
Looks like that was a bad idea…
Jonson. i will take a look at the screenshot and let you know.
Thank you a lot
Johnson. I got the connection working with the help of your screenshots. I want to thank you a lot for the help.
I am not sure what those IPsec settings do, and i had that DNS checkbox turned off, but now it works.
The mask in the client still shows as 255.255.255.255 but now i can see the other network devices..
I haven’t modified the firewall yet. Im not sure if i should erase all the current firewall settings and use the code you posted previously?
I am afraid to use that website again with the firewall configurations.. I will be watching some basic tutorials on Mikrotik firewalls today.
Thank you
if you want you can not change anything for yourself, but I would recommend looking at the diagram where it is very clearly shown how the incoming packets are filtered.
Section - “Packet flow chains” https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
The first will be “prerouting”, then “Input”, then “Forward” … “Output”. I’ll copy a tested and working example for you that will suffice for you, unless you have specific network requirements.
The netmask 255.255.255.255 should not appear if you have specified the internal network addresses correctly.
Your above configuration had the following entry: ‘’ ‘’ / ip dhcp-server network
add address = 0.0.0.0 / 24 gateway = 0.0.0.0 netmask = 24 ‘’ ‘’ ‘’
It’s not necessary! We only record the current subnet (10.0.0.0/24..or another)… either one or several, depending on how much is needed. The link I copied where L2TP configs were displayed had one subnet and nothing more. With this configuration, everything will work without problems
If he changed his ppp network addresses like provided in the screen shots, thats why he can now get to his existing 10.0.0.0/8 subnets attached to the router. The reason he couldnt before is because he was trying to overlap his ppp and local to the router subnets, which is why I suggested changing to an unused subnet such as 192.168.255.0/24, or one hes not going to otherwise use. As also suggested above, I was able to use proxy-arp on the bridge and get to the subnets while overlapping, as also suggested above.
I believe the reason the latter didnt work for him, is because he also manually assigned an ip address on the client, which may or may not have matched where the router was attempting to send for its ppp client.
Now you will need to protect your router, and set appropriate firewall rules.
hello,
please need some help , i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected vpn to the mikrotik.
ip of sxt 10.1.10.1
below is the config
