Please add custom port options for l2tp-server and l2tp-client, so that 1701 can be changed to 11701 or other ports, just like sstp.

Why is this function needed?

For example, l2tp-client needs to connect to many l2tp-servers: 1.1.1.1-9.9.9.9,

and needs to use a server host with a good line and fast speed to do DNAT forwarding,

200.200.200.200 using DNAT forwarding rules,

debian nftables 200.200.200.200:10000-10010 --> 1.1.1.1:10000-10010 (l2tp-server 10000-10010 redirect 1701)
debian nftables 200.200.200.200:10011-10020 --> 2.2.2.2:10011-10020 (l2tp-server 10011-10020 redirect 1701)
debian nftables 200.200.200.200:10091-10100 --> 9.9.9.9:10091-10100 (l2tp-server 10091-10100 redirect 1701)

If the custom port option for l2tp-server and l2tp-client is added,

then in RouterOS l2tp-client I can do this,

Use 200.200.200.200 Connect 1.1.1.1 l2tp-server
/interface l2tp-client add name=l2tp-out1 connect-to=200.200.200.200 port=10000 user=vpn password=vpn

Use 200.200.200.200 Connect 2.2.2.2 l2tp-server
/interface l2tp-client add name=l2tp-out2 connect-to=200.200.200.200 port=10011 user=vpn password=vpn

Use 200.200.200.200 Connect 9.9.9.9 l2tp-server
/interface l2tp-client add name=l2tp-out9 connect-to=200.200.200.200 port=10091 user=vpn password=vpn

If the port is interfered with or speed-limited by the isp, I can also change the port. I made 10 port forwardings for each ip,

then the port can be changed like this,

/interface l2tp-client disable l2tp-out1;
/interface l2tp-client disable l2tp-out2;
/interface l2tp-client disable l2tp-out9;
/interface l2tp-client set l2tp-out1 port=10002;
/interface l2tp-client set l2tp-out2 port=10012;
/interface l2tp-client set l2tp-out9 port=10092;
:delay 1m;
/interface l2tp-client enable l2tp-out1;
/interface l2tp-client enable l2tp-out2;
/interface l2tp-client enable l2tp-out9;

Or do more complex judgments like if() do{}, do{} while(),

Thanks to every worker who contributes to mikrotik.

A loyal user who likes RouterOS and purchased and owns MikroTik devices.

June 28, 2026, 05:57

Wouldn't some simple action=dst-nat chain=output NAT rule do what you need for the client part? and for the server part, action=dst-nat chain=dstnat rules?

If there are only a few L2TP clients, we can change the port using DNAT.

But,
what if there are 500 L2TP clients?
What if there are 1,000 L2TP clients?
and using 500+ 1000+ dst-nat rules?

And, what is the difference? If you have 1000 L2TP clients, you already have 1000 entries under PPP -> Interfaces to manage.

And for the L2TP server, you can even have one single DSTNAT action=dst-nat chain=dstnat dst-port=10000-20000 to-ports=1701 rule for your 10000 of choosable ports.

IPLC/IPEL Server
200.200.200.200

200.200.200.200:10001-10010 --> l2tp-server public ip 1 ( 10001-10010 redirect 1701 )
200.200.200.200:10011-10020 --> l2tp-server public ip 2 ( 10011-10020 redirect 1701 )
200.200.200.200:10021-10030 --> l2tp-server public ip 3 ( 10021-10030 redirect 1701 )
...
200.200.200.200:19991-20000 --> l2tp-server public ip 999 ( 19991-20000 redirect 1701 )
...

Now all I need to do is add the L2TP custom port option.
Managing and maintaining such a large L2TP client using dst-nat rules is really terrible.

I know that dst-nat can change ports; the topic of this post is requesting the addition of this feature.

/ip firewall nat add action=dst-nat chain=output dst-port=1701 protocol=udp to-ports=10001

Write this request directly to MT support, there are low chances that it will be noticed here on the forum.