I have a SOHO Lan that I want to use a L2TP vpn to connect to. I’ve done my L2TP setup, and the test device connects within the LAN no issues.
However when attempting to connect from the outside the connection never completes. So I suspect I’ve got something wrong with the firewall/nat. The whole setup is pretty simple so I was hoping that someone can point out the obvious flaw I’m missing.
Setup
Internet <—> 1.2.3.4 (public IP) eth2 [Mikrotik Router] eth1 (private IP) 192.168.88.2 <—> LAN
Here’s my firewall
As I understand it:
Filter
Allow access to the router for L2TP (IPsec-esp, UDP 500, UDP 1701, UDP 4500)
Allow access to the router for pings (icmp)
Allow established connections to the router
Drop other stuff attempting outside access to the router
Allow through packets for established connections
Drop through packets for invalid connections
Drop through packets from eth2(WAN) that are not being NATed
# may/04/2015 09:48:04 by RouterOS 6.28
# software id = XSJ5-91JA
#
/ip firewall filter
add chain=input comment="Allow L2TP vpn" protocol=ipsec-esp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether2-ufb
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether2-ufb
While typing this out I saw the problem. I needed to allow through traffic on eth2 for the VPN pool.
add chain=forward src-address=172.16.1.0/24
I added this, and boom, instant remote VPN. I thought I’d leave this here in case it helps someone else. (also someone might see a big issue with my config and tell me 
)