Static routes L2TP

RouterOS Beginner Basics
1

Hello everyone.

I’m new to routing and mikrotik and i need some help, hope you can help med out
Just bring questions if there is something you need to know

I have made up a solution with 3 mikrotiks where one of them i set up as L2TP server with static WAN
and there is 2 that acts as clients with dynamic WAN

I have managed to make static routes so 192.168.1.x can reach 192.168.10.x and 192.168.20.x and this workes fine.
But i don’t manage to get connection between 192.168.10.x - 192.168.20.x networks

Example: I need the host of 192.168.10.20 to connect to host of 192.168.20.20

Can you maybe help me out? Sorry for my bad knowledge

Best Regards
Mattias
Example Network.png

2

No need to be sorry for “bad knowledge” - everyone has to start from somewhere after all :slight_smile:

As for the routes, luckily it’s quite easy to set them up - on the 10.1 router you add a route that points to 20.1 with gateway the VPN and vice versa:

# 192.168.10.x router

/ip route
add dst-address=192.168.20.0/24 gateway=10.1.1.1

# 192.168.20.x router

/ip route
add dst-address=192.168.10.0/24 gateway=10.1.1.3
3

Thanks for the answer!
I tested that yesterday and it didn’t work out
But i played around a bit and found a solution that is working. I don’t know if it’s right but maybe you can sort that out for me!

# 192.168.10.x router

/ip route
add dst-address=192.168.20.0/24 gateway=10.1.1.1
add dst-address=10.1.1.0/24 gateway=10.1.1.1

# 192.168.20.x router

/ip route


add dst-address=192.168.10.0/24 gateway=10.1.1.3
add dst-address=10.1.1.0/24 gateway=10.1.1.3
4

If the solution is the one you posted under the quote, it’s the right one and the same as mine. I missed to mention that the routes I posted are additional to the ones that were to be seen on the network diagram

5

Thanks!

Yes i needed to add:
add dst-address=10.1.1.0/24 gateway=10.1.1.1 - on router 2
add dst-address=10.1.1.0/24 gateway=10.1.1.3 - on router 3

I thought that 10.1.1.1/10.1.1.2 was aware of 10.1.1.3/10.1.1.4 but it was not the case
so the route of 10.1.1.0/24 made that happend

Do you think this is the right way or is there a easier way?

Best Regards

Mattias

6

Now that I think about it, the routes really are a bit odd… Would you mind posting an exported config of the VPN server as well as at least one of the clients?

export file=anynameyouwish (minus sensitive info like serial numbers, public IPs, etc.)

7

Just so you know remote router R3 has 192.168.30.0/24 instead of 192.168.20.0/24 like in the diagram, but i don’t think that makes som difference


# feb/06/2025 11:13:39 by RouterOS 6.49.17
# software id = 
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes multicast-querier=yes multicast-router=permanent name=\
    bridge
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.150
add name=pool-L2TP ranges=192.168.1.201-192.168.1.211
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 multicast-router=permanent
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret= one-session-per-host=yes \
    use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip arp
add address=192.168.1.5 interface=bridge mac-address=
add address=192.168.1.37 interface=bridge mac-address=
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.99 mac-address= server=defconf
add address=192.168.1.100 mac-address= server=defconf
add address=dhcp mac-address= server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list="Remote Access List"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=L2TP in-interface-list=WAN protocol=\
    ipsec-esp
add action=accept chain=input comment="Access Winbox from L2TP" dst-port=8291 \
    in-interface=all-ppp protocol=tcp src-address=192.168.1.200
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add comment="Route till R2 192.168.10.0/24" distance=1 dst-address=\
    192.168.10.0/24 gateway=10.1.1.2
add comment="Route till R3 192.168.30.0/24" distance=1 dst-address=\
    192.168.30.0/24 gateway=10.1.1.4
/ip upnp interfaces
add interface=bridge type=internal
/ppp secret
add local-address=192.168.1.1 name= password=\
     profile=default-encryption remote-address=\
    192.168.1.200 service=l2tp
add local-address=10.1.1.1 name=L2TP-R2 password= profile=\
     remote-address=10.1.1.2 service=l2tp
add local-address=10.1.1.3 name=L2TP-R3 password= profile=\
     remote-address=10.1.1.4 service=l2tp
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=R1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
8 
# feb/06/2025 11:32:05 by RouterOS 6.47.9
# software id = 
#
# model = RBmAPL-2nD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface l2tp-client
add connect-to= disabled=no ipsec-secret=\
     name=L2TP-HQ password= use-ipsec=\
    yes user=L2TP-R3
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    station-pseudobridge ssid="" wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.30.100-192.168.30.180
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan1 list=WAN
/ip address
add address=192.168.30.1/24 interface=ether1 network=192.168.30.0
/ip dhcp-client
add disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 in-interface=all-ppp protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment="Route mellan L2TP Clients" distance=1 dst-address=10.1.1.0/24 \
    gateway=10.1.1.3
add comment="Route till HQ 192.168.1.0/24" distance=1 dst-address=\
    192.168.1.0/24 gateway=10.1.1.3
add comment="Route till R2 192.168.10.0/24" distance=1 dst-address=\
    192.168.10.0/24 gateway=10.1.1.3
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=R3
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
9

It’s because of the local address of the PPP secrets on the L2TP server - if you set it to be one and the same for both secrets (say 10.1.1.1), then there should be no need for the two routes. I don’t expect it to make problems the way it is, so if you don’t mind the routes, you can leave it as it is

10

Config i set to routers:

#R1
add local-address=10.1.1.1 name=L2TP-R2 password= profile=\
     remote-address=10.1.1.2 service=l2tp
add local-address=10.1.1.1 name=L2TP-R3 password= profile=\
     remote-address=10.1.1.3 service=l2tp

#R2
add comment="Route till R3 192.168.30.0/24" distance=1 dst-address=\
    192.168.30.0/24 gateway=10.1.1.1


#R3
add comment="Route till R2 192.168.10.0/24" distance=1 dst-address=\
    192.168.10.0/24 gateway=10.1.1.1

Hello, tried that out but i didn’t work out. Still needed to add:

add dst-address=10.1.1.0/24 gateway=10.1.1.1

in both R2 and R3 to make it work


It’s not a problem and i still manage it to work

Just funny to know why thing happens for a reason so i can learn from it and troubleshoot in the future

Best regards

Mattias