Long story short, I have set up an L2TP/IPSEC server on my router using my Linux PC as a client. While I’m connected to my home network using Winbox through my VPN I can see my list of neighbours, however when I’m connected to another network with my VPN on I can access the internet fine but Winbox loads no neighbours.
I have disabled all but ssh & winbox under services.
Below are a couple of screenshots which prove the VPN tunnel is working and the VPN config on my PC.
I’ve included the PPP config below and I’m picking my problem might be related to the PPP profile where it says “set *FFFFFFFE”, this doesn’t seem normal? How would I fix this?
I’m hoping someone can help me sort out the final piece of the puzzle. Cheers.
EDIT: I can confirm that I get different public IP addresses using https://whatismyipaddress.com/ when connecting from a cafe WiFi, VPN on and then off. So, further confirmation the tunnel is working, but not enough for Winbox 3 or 4 to display my router in neighbours.
[itechadmin@Home Router AX] > ppp/export
# 2025-06-04 16:30:10 by RouterOS 7.19.1
# software id = xxxx-xxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxx
/ppp profile
set *FFFFFFFE use-encryption=default
/ppp secret
add local-address=10.10.30.1 name=vpn profile=default-encryption remote-address=10.10.30.2 \
service=l2tp
Correct. Winbox fires up, but my home network doesn’t show in the neighbour list. Since I first posted this I’ve added the PPP profile config to my original post which hopefully gives a clearer picture .
Winbox requires layer 2 for discovery.
L2TP can do layer 2, but it usually isn’t setup that way.
You could perhaps use ROMON. Setup ROMMON on the remote routers and connect via rommon to one of the routers IP addresses and you should see and be able to connect to the other routers with ROMMON enabled (and same rommon secret).
Thanks for this. RoMon has always been enabled on my home router (which I’m trying to connect to remotely) as I use it to connect to my LTE passthrough device.
I once had this working a couple of years back, but on a different router. It worked a treat. I feel I’m so close to get it working again, I’m just missing something - probably simple, just can’t think for the life of me what.
If I can connect remotely to my home router and even surf the internet, that shows me I’m almost there. Just need to be able to access Winbox neighbours and all will be complete.
This assumes somewhat near a default firewall config on the Mikrotik.
From the linux client can you ping 10.10.30.1 (ie. The Mikrotik) when connected via the VPN.
When this is working:
On the Mikrotik I would
Copy the default-encryption profile.
On the newly created profile, Set the Address-List value to be LAN.
Change the profile used by the ppp secret to be the new profile.
With luck you now when you connect through the VPN you should be able to login to the Mikrotik using winbox
via IP address 10.10.30.1.
You can also connect to ROMMON via 10.10.30.1 and see any other ROMMON Mikrotiks on your network.
Not quite. WinBox uses MNDP discovery. And MNDP is a Layer3 UDP broadcast packet (255.255.255.255) so it’s broadcast support you need for WinBox Neighbors. Now Layer2 access, always would get you UDP broadcast, so that part is right. And to be clear RoMON and it’s discovery does require Layer2.
Thank you. This works now when I VPN into the home router from home. I’ll give it a go tomorrow when I can connect through another network and report back.
Here’s the ping report from my laptop…
~$ ping 10.10.30.1
PING 10.10.30.1 (10.10.30.1) 56(84) bytes of data.
64 bytes from 10.10.30.1: icmp_seq=1 ttl=64 time=6.16 ms
64 bytes from 10.10.30.1: icmp_seq=2 ttl=64 time=2.99 ms
64 bytes from 10.10.30.1: icmp_seq=3 ttl=64 time=6.29 ms
64 bytes from 10.10.30.1: icmp_seq=4 ttl=64 time=2.97 ms
64 bytes from 10.10.30.1: icmp_seq=5 ttl=64 time=13.0 ms
64 bytes from 10.10.30.1: icmp_seq=6 ttl=64 time=3.02 ms
^[64 bytes from 10.10.30.1: icmp_seq=7 ttl=64 time=6.29 ms
64 bytes from 10.10.30.1: icmp_seq=8 ttl=64 time=3.02 ms
64 bytes from 10.10.30.1: icmp_seq=9 ttl=64 time=2.59 ms
^C
--- 10.10.30.1 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8012ms
rtt min/avg/max/mdev = 2.585/5.148/13.007/3.169 ms
~$
Ok, so I just used my wife’s mobile phone to hotspot and while I couldn’t still load neighbours in Winbox via my home VPN, I did manage to ping both 10.10.30.1 and my home router gateway, 192.168.88.1 as pic below.
Still a mystery why my home network doesn’t show up in neighbours when using my VPN away from home.
I have not tested this is a while and not expert on L2TP… But I don’t the broadcast packet (255.255.255.255) needed for neighbors are received by client OS when using L2TP. And not 100% send MNDP broadcasts are even allowed over L2TP for sending.
You can save a bunch of IP addresses notes and optionally passwords in Winbox.
So you could save all your routers there.
You can also login via romon to the L2TP server IP address and see all the ROMON configured devices.
Another option might be to use an L2TPv3 VPN set up as a virtual wire (ethernet cable).
Though I think this is likely a good way to hurt the VPN performance.
Just for clarity, this is the problem I’m having when trying to connect to my home router using my VPN from another network (cafe, public WiFi, etc…)
No neighbours are present, inc. my home router. I have tried saving my home router in the saved list, but that doesn’t do anything when activated either. I just says connecting, then times out. I can ping my home gateway when on another network, but I can’t gain access to my router through Winbox (3 or 4).
None of this is a problem when I’m on my home network using the same VPN, or with the VPN off, as expected.
I’m really sorry if this has caused any confusion.
If you saved them… then you need to change the view in WinBox4 to “Saved” in the dropdown near top center that says “Select From” (i.e. so it does NOT say Neighbors).
The Neighbors view listens for UDP broadcasts to 255.255.255.255, which [AFAIK] you’re not going to have with L2TP.
To add further intrigue, I can’t ssh in either using terminal on my Linux laptop using an external network and my VPN. It hangs before requesting my user pw. I Can still ping the router fine though from the Linux laptop terminal.
I managed to lay my hands on the router where the config worked previously and have extracted the relevant config below. Hopefully I haven’t missed anything.
It doesn’t work still on either router, but I think that might have something to do with the part of the /ppp profile where it resolves “set *FFFFFFFE”.
It makes no sense for the config to repeat the local address or remote address unless the set value actually means something. I hoping if this part can be resolved it’ll be game over.
Any further help resolving this would be very much appreciated.
.
