Problem with L2TP Firewall

Tomasz1 · June 20, 2025, 2:51pm

I have a problem with L2TP firewall settings. Setup is okay and work well only when I disable “drop all not coming from LAN” rule.
Here is my config:

> /interface wireless security-profiles
> set [ find default=yes ] supplicant-identity=MikroTik
> /ip ipsec proposal
> set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
>     pfs-group=none
> /ip pool
> add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.252
> 
> /ppp profile
> add change-tcp-mss=yes dns-server=192.168.1.100 local-address=192.168.1.1 \
>     name=vpn remote-address=dhcp_pool1 use-ipv6=default
> 
> /interface l2tp-server server
> set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=yes
> 
> 
> /ip firewall filter
> add action=accept chain=input comment="accept established,related" \
>     connection-state=established,related
> add action=drop chain=input dst-port=22,80,443,2000,8291 in-interface=\
>     pppoe-out1 protocol=tcp
> add action=drop chain=input comment="drop invalid" connection-state=invalid \
>     in-interface=pppoe-out1
> add action=accept chain=input comment="accept ipsec" protocol=ipsec-esp
> add action=accept chain=input comment="accept ike, l2tp, ipsec" dst-port=\
>     500,1701,4500 protocol=udp
> add action=drop chain=input comment="drop all not coming from LAN" \
>     in-interface=!LAN in-interface-list=all
> add action=accept chain=forward comment="accept established,related" \
>     connection-state=established,related
> add action=drop chain=forward comment="drop invalid" connection-state=invalid \
>     in-interface=pppoe-out1
> add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
>     connection-nat-state=!dstnat in-interface=pppoe-out1
> /ip firewall nat
> add action=masquerade chain=srcnat out-interface=pppoe-out1
> /ip firewall service-port
> set h323 disabled=yes
> /ip ipsec profile
> set [ find default=yes ] dh-group=modp2048 dpd-interval=2m \
>     dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128,3des

I assume the problem is that L2TP connection is not treated as a part of LAN. How can I fix it, without removing the rule itself?

lurker888 · June 20, 2025, 4:52pm

Services like L2TP create a dynamic interface per connection. These can be added automatically to an interface list - you set this up in the ppp profile.

If you want these clients to be treated the same as LAN, simply specify that they should be added to LAN.

Tomasz1 · June 20, 2025, 5:03pm

Thanks. Can you guide me how can I add those clients to LAN?

lurker888 · June 20, 2025, 5:12pm

I suggested you go to ppp->profile, select vpn, then set interface list to LAN.

This will add/remove the interfaces to the list automatically.

Is this somehow not working?

Tomasz1 · June 20, 2025, 5:44pm

it works now. I set the default bridge and l2tp interface to use the same interface list. Thanks