L2TP client change destination port away from UDP 1701

drbunsen · April 29, 2016, 4:39pm

Hi,
I’m trying to configure L2TP as a client, but it needs to connect to a server which runs its service on a different port than 1701.
Is there any way to change the destination UDP port away from the standard 1701?
Thanks in advance.

pe1chl · May 3, 2016, 11:37am

Did you try :port after the address? Maybe it works.

mrz · May 3, 2016, 1:09pm

Not possible directly.

drbunsen · May 3, 2016, 5:28pm

Yes, I’ve tried :port, but it’s not being accepted as entry.

@mrz: Does “not directly” mean not at all or maybe possible with some sort of trick?

pe1chl · May 3, 2016, 5:50pm

Of course you can try dstnat…

drbunsen · May 3, 2016, 6:20pm

Not sure if I’m doing it right, just tried with:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=1701 \
    protocol=udp to-addresses=1.1.1.1 to-ports=10000

However, I still see packets leaving with 1701 as destination and the counters for this rule are not increasing.
To be honest I would not even expect this to work, why should the box send it’s own traffic through this chain?
Thanks for this idea though.

mrz · May 11, 2016, 2:12pm

DST nat wont work because it is processed in prerouting. Locally originated packets do not get into prerouting chain.

You can change port if you add another device between server and client adn run DST NAT there.

drbunsen · May 12, 2016, 12:31am

OK, so it’s not possible with a device on the border of the network
Would you please consider to add a variable destination port for L2TP in a future routeros version?

jo2jo · January 28, 2017, 8:51pm

is this feature still not added as of 6.38.1? why can we not change the port L2TP uses?

I under stand we can add another MT but thats another point of failure and another device to have to manage (for just one simple feature request).

tks

israelrmm · June 27, 2025, 3:12pm

I’m sharing what worked for me. I’d like to clarify that I’ve only tested it on RouterOS V7 so far.

If you create an L2TP-CLIENT connection, as we know, we can’t directly change the default DST-PORT, which is 1701. So, let’s assume that on the L2TP server side, we have a DEBIAN machine with the xl2tpd service listening on port 27101 instead of port 1701. The commands on the MikroTik Client router side would be:

/ip firewall nat add chain=srcnat out-interface-list=WAN protocol=udp src-port=27101 action=src-nat to-ports=1701 comment=“WIFITIKET ONLINE VPN” place-before=2;
/ip firewall nat add chain=output dst-port=1701 out-interface-list=WAN protocol=udp action=dst-nat to-ports=27101 comment=“WIFITIKET ONLINE VPN” place-before=2;
/ip firewall nat add chain=dstnat in-interface-list=WAN dst-port=27101 protocol=udp action=dst-nat to-ports=1701 comment=“WIFITIKET ONLINE VPN” place-before=2;
/ip firewall filter add chain=input dst-port=1701 protocol=udp action=accept comment=“WIFITIKET ONLINE VPN” place-before=2;

I hope it help