Mikrotik Chateau 5G L2TP help please

StaffsTony · January 5, 2026, 5:14pm

I have a Chateau 5G on Vodafone, which I have managed to get configured and is working great, I now want to use the Andrew and Arnold L2TP tunnel service to get around CGNat.
I've followed their support page article which is meant for the RB3011/ 4011 devices, the tunnel comes up but no traffic goes across it.
Would anyone be able to take a look please and see what is missing or incorrect.
My local lan is 10.0.1.254/24 and this is the config.

2025-12-31 02:47:20 by RouterOS 7.12.1

software id = XXXX-XXXX

model = D53G-5HacD2HnD

serial number = XXXXXXXXXXX

/interface bridge
add name=Lan-Bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface l2tp-client
add comment="Andrew and Arnold L2TP" connect-to=l2tp.aa.net.uk disabled=no max-mru=1340 max-mtu=1340 name=l2tp-AAISP
profile=default use-peer-dns=exclusively user=XXXXXXXXXx
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=Lan-Bridge interface=ether1
add bridge=Lan-Bridge interface=ether2
add bridge=Lan-Bridge interface=ether3
add bridge=Lan-Bridge interface=ether4
add bridge=Lan-Bridge interface=ether5
add bridge=Lan-Bridge interface=wlan2
add bridge=Lan-Bridge interface=wlan1
/interface list member
add interface=lte1 list=WAN
add interface=Lan-Bridge list=LAN
/ip address
add address=10.0.1.254/24 interface=Lan-Bridge network=10.0.1.0
/ip dhcp-client
add disabled=yes interface=*8
/ip firewall filter
add action=accept chain=input comment="Input: allow established and related" connection-state=established,related
add action=accept chain=forward comment="Forward: allow established and related" connection-state=established,related
add action=accept chain=input comment="Input: allow all ICMP" protocol=icmp
add action=accept chain=input comment="Input: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=accept chain=forward comment="Forward: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=drop chain=input comment="Input: drop all remaining traffic"
add action=drop chain=forward comment="Forward: drop all remaining traffic"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP: Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=l2tp-AAISP
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="Nat: masquerade 10.0.1.0/24 to l2tp-AAISP's address" src-address=10.0.1.0/24
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

Cheers
Tony

jaclaz · January 5, 2026, 5:56pm

Post a link to the doc/example you followed.

At first sight the NAT rule:

add action=masquerade chain=srcnat comment="Nat: masquerade 10.0.1.0/24 to l2tp-AAISP's address" src-address=10.0.1.0/24

looks incomplete, it misses an out-interface or out-interface-list specification.

StaffsTony · January 5, 2026, 5:59pm

@jaclaz i'll have a look at the NAT statement after tea, the link I followed was https://support.aa.net.uk/L2TP_Client:_Routerboard

jaclaz · January 5, 2026, 6:43pm

Go to the NAT tab, and add a new rule with +:

General, Chain: "srcnat"
General, Src. Address: "192.168.88.0/24"
General, Out. Interface: "l2tp-aaisp"
Action, Action: "masquerade"
Comment: "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address"
Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.

StaffsTony · January 6, 2026, 2:57am

@jaclaz , thank you for the reply, I have added the missing NAT rule, unfortunately it doesn't seem to have helped.
This is the current config after the NAT change.

2026-01-06 02:53:49 by RouterOS 7.20.6

software id = xxxx-xxxx

model = D53G-5HacD2HnD

serial number = xxxxxxxxxxx

/interface bridge
add name=Lan-Bridge
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface l2tp-client
add comment="Andrew and Arnold L2TP" connect-to=l2tp.aa.net.uk disabled=no max-mru=1340 max-mtu=1340 name=l2tp-AAISP profile=default use-peer-dns=exclusively
user=xxxxxxxx
/interface bridge port
add bridge=Lan-Bridge interface=ether1
add bridge=Lan-Bridge interface=ether2
add bridge=Lan-Bridge interface=ether3
add bridge=Lan-Bridge interface=ether4
add bridge=Lan-Bridge interface=ether5
add bridge=Lan-Bridge interface=wlan2
add bridge=Lan-Bridge interface=wlan1
/interface list member
add interface=lte1 list=WAN
add interface=Lan-Bridge list=LAN
/ip address
add address=10.0.1.254/24 interface=Lan-Bridge network=10.0.1.0
/ip dhcp-client
add disabled=yes interface=ether4
add disabled=yes interface=ether4
/ip firewall filter
add action=accept chain=input comment="Input: allow established and related" connection-state=established,related
add action=accept chain=forward comment="Forward: allow established and related" connection-state=established,related
add action=accept chain=input comment="Input: allow all ICMP" protocol=icmp
add action=accept chain=input comment="Input: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=accept chain=forward comment="Forward: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=drop chain=input comment="Input: drop all remaining traffic"
add action=accept chain=input comment="Input: allow established and related" connection-state=established,related
add action=accept chain=forward comment="Forward: allow established and related" connection-state=established,related
add action=accept chain=input comment="Input: allow all ICMP" protocol=icmp
add action=accept chain=input comment="Input: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=accept chain=forward comment="Forward: allow all from Lan-Bridge" in-interface=Lan-Bridge
add action=drop chain=input comment="Input: drop all remaining traffic"
add action=drop chain=forward comment="Forward: drop all remaining traffic"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP: Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=l2tp-AAISP protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="Nat: masquerade 10.0.1.0/24 to l2tp-AAISP's address" out-interface=l2tp-AAISP src-address=10.0.1.0/24
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

Any other suggestions or tests I could do to try and see where the issue lies?

BartoszP · January 6, 2026, 11:11am

@StaffsTony

Hi, please mark code with prefermatted code tag using < / > button

jaclaz · January 6, 2026, 12:32pm

Post the output of:

/ip route print

Check what happens with a traceroute.