Mikrotik - Enable Split Tunnel on L2TP VPN

JRJakkals · February 28, 2021, 3:10pm

Hi Experts

How do I enable Split Tunneling on Mikrotik. I have implemented L2TP VPN, no pre-shared key

satman1w · March 1, 2021, 9:04am

IP address that router will be giving out to L2TP connections should be within the same subnet as all other local users, and when configuring the windows client (in Networking->IPv4->Properties->Advanced) clear “Use default gateway on remote network”…

nothing else..

JRJakkals · March 1, 2021, 12:38pm

Hi satman1w

If I click clear Use default gateway on remote network, then I can access or ping my internal network

satman1w · March 1, 2021, 5:55pm

If you clear “Use default gateway on remote network”, only the traffic destined to remote subnet will be routed through tunnel and the rest will stay the same as before. So you will be able to ping your network and all other traffic will be routed will be router through your default gateway…

joegoldman · March 2, 2021, 12:50am

L2TP VPN is a PPP style protocol in which the IP handed out is not a subnet but a /32 technically - so no broadcast and ARP learning exists, and the client machine does not generally enable a route for the remote subnet.

If you clear use remote default gateway - you’ll need to add routes specifically to be used on the VPN - this can be done locally on the client device, and there are different ways (with differing success) to advertise remote routes via VPN as well - none that I’ve had too much success with (such as DHCP Options)

satman1w · March 2, 2021, 7:45am

…as you can see, L2TP interface is up and the auto route for remote network is added …

fischerdouglas · March 2, 2023, 11:38am

Disabling the remote default gateway works, but do not give-me the possibility of “say” to remote users (or remote-sites) …
L2TP on RouterOS only allows assign IP Address to Remote clientes via IPCP.

If Mikrotik allows assign IP Address via DHCP, would be possible to:

Do not send Option 3 to remote users.
Use Option 121 to “teach” remote users what Networks they should come thought “this tunnel” to reach.

I’m not sure but is exactly that methodology that VPN-Server of Windows server does the split-vpn.

pe1chl · March 2, 2023, 12:07pm

Unfortunately such settings are a collection of non-standard manufacturer inventions, all incompatible with another.
It explains why all the time, new VPN protocols are invented that solve all problems, at least those that the inventor sees.
Still we (the users) are left with an inconvenient mess…

For example, now there is IKEv2 VPN. Is supposed to solve all these issues. And indeed, now you can set the routed subnets on the server side and the client receives them.
However, most implementations are broken and accept only ONE such route. When you advertise two, only one will work. Bummer.