L2TP/IPsec VPN clients can't access LAN

Hi there,
I am very new to Microtik, and I am trying to set up remote access to my network.
My router is behind Verizon router, hence not many Firewall rules.
I’ve spent a few days trying to solve the issue, but I seem to be missing something.

Here’s my config

# 2024-11-25 16:17:50 by RouterOS 7.15.2
# software id = HFQU-A853
#
# model = CRS520-4XS-16XQ

/interface bridge
add arp=proxy-arp name=bridge-lan-10
add name=bridge1
/interface ethernet
set [ find default-name=qsfp28-1-1 ] fec-mode=fec91
set [ find default-name=qsfp28-3-1 ] fec-mode=fec91
/interface l2tp-server
add name=l2tp-in1 user=*****
/interface list
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=pool-lan-10 ranges=10.10.10.5-10.10.10.254
add name=pool-vpn ranges=10.1.1.2-10.1.1.50
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
add address-pool=pool-lan-10 bootp-support=none interface=bridge-lan-10 name=dhcp-lan-10
/port
set 0 name=serial0
/ppp profile
set *0 local-address=10.1.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge-lan-10 interface=qsfp28-1-1
add bridge=bridge-lan-10 interface=qsfp28-1-2
add bridge=bridge-lan-10 interface=qsfp28-1-3
add bridge=bridge-lan-10 interface=qsfp28-1-4
add bridge=bridge-lan-10 interface=qsfp28-2-1
add bridge=bridge-lan-10 interface=qsfp28-2-2
add bridge=bridge-lan-10 interface=qsfp28-2-3
add bridge=bridge-lan-10 interface=qsfp28-2-4
add bridge=bridge-lan-10 interface=qsfp28-3-1
add bridge=bridge-lan-10 interface=qsfp28-3-2
add bridge=bridge-lan-10 interface=qsfp28-3-3
add bridge=bridge-lan-10 interface=qsfp28-3-4
add bridge=bridge-lan-10 interface=qsfp28-4-1
add bridge=bridge-lan-10 interface=qsfp28-4-2
add bridge=bridge-lan-10 interface=qsfp28-4-3
add bridge=bridge-lan-10 interface=qsfp28-4-4
/ip neighbor discovery-settings
set lldp-med-net-policy-vlan=1
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge-lan-10 list=LAN
add interface=l2tp-in1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=10.10.10.1 interface=bridge-lan-10 network=10.10.10.1
/ip dhcp-client
add interface=sfp28-1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp28-1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=*******
/system clock
set time-zone-name=America/New_York

Thanks in advance!

Some thoughts.

1. Don’t use L2TP at all, use wireguard, its easier/better.
   (L2TP is slowly being discouraged)

Wireguard:
You only need 1 port.
You usually don’t have to fight much with the ISP router.
You don’t have to fight much with the client OS.
Perhaps a little less good if you are somewhere where VPN’s are actively discouraged.

Otherwise:

If you are not getting any connection at all:

Check the ISP router is actually forwarding udp 500 4500 through. (Some don’t, or take some effort to get these 2 ports through)

• Put a firewall passthrough rule in mangle for udp 500 dst-port, and also one for 4500
  And see if you can get them to count (500 first).

For Windows as a client, with the L2TP server (Mikrotik) behind a NAT you need to make changes to the windows registry or it won’t connect.
(Assuming you are using preshared keys)

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device


Make ipsec required.

/interface l2tp-server server
set enabled=yes use-ipsec=required

You can make the L2TP connections a member of the LAN address list from the profile
assigned to the connection. (Either the default profile for the L2TP server, or the one assigned to the secret)