Routing with L2TP client on RB3011

Good morning, i’ve joined in the hope I can get some help please with trying to get routing working on an RB3011 working as an L2TP client to get around CGNat.

This is the first Mikrotik device I have ever come across and although I have some network knowledge having dabbled with both Cisco and Zyxel previsouly, I have no Mikrotik experience i’m afraid.

The topology is a 5G ZTE CPE pro modem in bridge mode connected to the RB3011 eth1, eth2 is connected to a firewall device which deals with the firewalling and other stuff.

I have set eth1 to get a dhcp address from the ZTE, that works fine, eth2 has a fixed ip address 10.0.1.254.

By following several guides on the internet, I have got the L2TP tunnel working fine, if I plug the eth2 port into a layer 2 switch I can connect the laptop to a spare port and browse the web and the ip address shown is the one the L2TP tunnel issues and not the one the 5G ISP provides, so the tunnel works and traffic is being routed through it.

The only issue I have is that I am unable to ping the RB3011 from the eth2 network (10.0.1.0/24), I think this is because the guide I followed adds in a route for 0.0.0.0/0 over the L2TP tunnel, but I cannot see how to adjust it so I am able to route traffic across the L2TP tunnel and also configure the RB3011 via it’s webconfig.

A similar issue is how to access the ZTE config page, which is at 192.168.8.1, even though bridge mode is active, the page is still accessible, again, all traffic seems to go over the tunnel so I cannot acces or ping 192.168.8.1, again I think I need another route / nat for that.

If anyone would be able to give me some idea on how to correctly set the routing so I can send web traffic across the L2TP tunnel but still access the RB3011 for configuration etc, that would be really helpful,

I will post the config this afternoon once I figure out how to get it from the RB3011 in text format!

edit: attached the config with sensitive data replaced with XXX and I can do a diagram if that helps.

2025-12-17 11:57:43 by RouterOS 7.21rc1

software id = xxxx-xxxx

model = RB3011UiAS

serial number = xxxxxxxxxxxx

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface l2tp-client
add allow-fast-path=yes comment="L2TP-Provider" connect-to=
l2tp.xx.xxxx.xxx dial-on-demand=yes disabled=no name=xxx-l2tp-out1 profile=
default user=xxxxxxxxx
/routing table
add fib name=XX_L2TP
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=10.0.1.254/24 interface=ether2 network=10.0.1.0
/ip dhcp-client
add interface=ether1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=XX_L2TP
passthrough=no src-address=10.0.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=xxx-l2tp-out1
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.254
routing-table=main scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx-l2tp-out1
routing-table=XX_L2TP scope=30 target-scope=10
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
touch-screen=disabled
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=ether1
/system clock
set time-zone-name=Europe/London

Capture686×696 17.7 KB

BR

Tony.

Post the output of:
/ip route print

command.
You should have, besides the static routes in your configuration a DAc route for 10.0.1.0/24 with the lowest distance of 0 (in table main).
But in mangle you forced ALL traffic originating from 10.0.1.0/24 to go through the routing table XX_L2TP:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=XX_L2TP
passthrough=no src-address=10.0.1.0/24

so table "main" will never be accessed for locally originated connections.

I would try disabling that mangle rule and use instead a set of routing rules similar to the one in point #3 here:

further commented later in that thread.
Beginner's question about config dual wan failover + warp - #14 by jaclaz

@jaclaz, thank you for the reply, as requested here is the output of /ip route print

[admin@MikroTik\] > /ip route print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE

DST-ADDRESS       GATEWAY        ROUTING-TABLE  DISTANCE

0  Xs 0.0.0.0/0         10.0.0.254     main                  1
DAd 0.0.0.0/0         10.43.237.245  main                  1
DAc 10.0.1.0/24       ether2         main                  0
DAc 10.43.237.244/30  ether1         main                  0
DAc 91.189.21.117/32  XX-l2tp-out1   main                  0
1  As 0.0.0.0/0         XX-l2tp-out1   XX_L2TP               1

I have removed the mangle like you said and added a modified version of the rules in #3 to suit my ip network and L2TP tunnel.

I now seem to be able to access the RB3011 config page AND the tunnel is up and routing traffic thorough it so all seems good there.

The last step I need to try and do is to put in a route to allow access to the ZTE 5G modem config page which is at 192.168.8.1 on the eth1 (WAN) interface? obvioulsy that traffic would not go through the L2TP tunnel although on the same physical interface eth1

Any suggestions on how I achieve that please?

Do you have something else between the ZTE modem and the 3011 as ether1 has a dynamic address of 10.43.237.244/30 with a default gateway of 10.43.237.245?

Some firewall rules would be good too as the 3011 is completely exposed to the public internet via the L2TP tunnel.

No the ZTE is a 5G cable modem in bridge mode, it receives it’s IP from the cellular company and passes that on to the RB3011.

When the ZTE was in ‘normal’ mode i.e not set as a bridge, it’s management page was 192.168.8.1 which is still useable even though it is in bridge mode, i’ve just plugged the laptop directly into the LAN socket that connects to the RB3100 and I can ping 192.168.8.1 and access the config page in the ZTE, I guess it is like a sub interface where there are two IP address’s on the port, one static 192.168.8.1 and the other is DHCP from the cellular ISP.

The eth2 port on the RB2011 is connected to a separate firewall which does all the firewalling, in fact I would prefer EVERYTHING to be open in the RB3011 and when comes doen the L2TP tunnel be passed out of eth2 so I can deal with it in the existing firewall, in effect all I am using the RB3011 for is to create the L2TP tunnel so I can have a fixed public IP address and get around CGnat.

As tdw stated, the router seems to be at 10.43.237.245, judging from your route print output, the route to internet is DAd (so it is Dynamic, Active, derived from DHCP).
And you have also a /30 DAc route which should mean that your ether1 gets an address from the router DHCP of 10.43.237.244.

If you are sure that the router connected on ether1 is accessible through 192.168.8.1, just add an IP address to ether1 that:

1. belongs to the same 192.168.8.0/24 subnet
2. is not duplicated on that segment of network

Let's say 192.168.8.254/24:
/ip address
add address=192.168.8.254/24 interface=ether1 network=192.168.8.254

This will automagically create a DAc (Dynamic, Active, connected) route with highest priority, distance 0, to the whole 192.168.8.0/24 subnet through ether1.

Or, if you want to make it "tigher" you could use a /30 subnet instead and 192.168.8.2.

If the ZTE intercepts connections destined for 192.168.8.1 it should just be a case of exluding that address from the mangle rule so the traffic uses the default route to the ZTE rather than that to the tunnel.

Even though you are handling traffic forwarded through the 3011 with a separate firewall it would be wise to apply some rules to traffic destined for the 3011 itself via the L2TP tunnel, so for chain=input with in-interface=xxx-l2tp-out1 as this never reaches your other firewall.

@jaclaz, I have added the ip address to eth1 as you suggested and it works perfectly I can now access the ZTE config page as well as the RB3011 config page and the tunnel is still up and passing other traffic which is exactly what I wanted to achieve, so really appreciate the help in getting it working.

@tdw, I removed the mangle earlier as suggested by jaclaz, so don’t have that in any longer, but all working perfectly now.

I am interested though in what you say about adding additional rules to protect the RB3011 from the tunnel traffic, can you elaborate please on what I need to do to achieve that? to be honest it’s something I had not even considered.

As I mentioned, the existing firewall that is on eth2 will deal with all the port forwarding and firewalling for the rest on the internal lan and has been working fine for many years.

This has all come about because I have decided to replace the existing ISP with a 5G / 4G solution as the cable internet was so poor and becoming more expensive with no prospect of having fiber as we are too rural.

If anyone can elaborate on what @tdw mentioned about adding some rules to secure the tunnel, then I am all ears.

Running GRC Shieldsup on a PC connected directly to eth2 shows I have no open ports which seems ok, I have managed to add in a NAT rule to open port 6789 to test and that works and shows as open in Shieldsup

And I have another question, is it possible to use an additional ethernet port, say eth3 and an openvpn client running on the RB3011 to connect to a remote OpenVPN server and route this out through the tunnel too?

One of my friends has an office several hundred miles away and currently I have a Netgear router that creates the OpenVPN connection to his office, I then plug my laptop into the Netgear to access his Lan.

I am thinking I could remove the Netgear completely and just use the RB3011 to create the OpenVPN connection and have that route out of the exiting tunnel which I have to use to get around CGnat.

This would not use the eth2 interface it would have a seperate ethernet connection on say eth3 as only a single device at a time would ever be using it.

I’ve been struggling with this for a few days and gotten nowhere, so I have gone back to the initial setup which uses the RB3011 L2TP client to create the L2TP tunnel and route all my traffic over the tunnel, config is the same as the initial one I posted I have ditched the OpenVPN as I could not get that to work.

The only thing I cannot get my head around now though is how I ‘port forward’ ports through the tunnel to the Zyxel firewall behind the RB3011.

A bit of background, before I fitted the 5G modem and the RB3011, my ISP supplied me a static IP which I put on the WAN interface of the Zyxel firewall, I then did the forwarding on the Zyxel and it worked perfectly for a few years.

Since fitting the 5G modem and RB3011 I assumed all traffic from eth2 (RB3011 lan interface to the Zyxel) would go up the tunnel and off to the internet and in reverse the tunnel would in effect be transparent allowing everything to come back, but none of the forwarding on teh Zyxel is now working, for example, I have a webserver on the lan behind the Zyxel, if I connect my laptop to the Zyxel WAN port, browse it’s IP and port I can see the webserver as I have always done when I had the static IP so I know the Zyxel is forwarding to the webserver correctly

However, with the RB3011 LAN connected to the Zyxel WAN port, I am not getting the web server when I browse to the L2TP remote server address, in fact I see no incoming traffic incoming through the tunnel hitting the Zyxel WAN ip address if I look at the Zyxel logs, normally there are hundreds of entries the Zyxel blocks from all over the world.

I have disabled all Firewall filter rules in the RB3011 and that hasn’t helped, how do I make the L2TP tunnel allow all traffic inbound so I can just do the port forwarding and firewalling on the Zyxel?

Anyone help please, Google hasn’t been much use it mainly finds results about L2TP server and not client

Thanks

Tony

If the Zyxel is going to handle firewalling and port forwarding, why don’t you get rid of the RB3011, connect the firewall directly to the modem and configure on it L2TP or use the RB3011 as a switch (bridge all ports and remove all static addresses) and again configure the Zyxel as the L2TP client? Or the firewall doesn’t support L2TP?