Messy ... yeah I really need to do my MTCRE already
Well, maybe just "so unusual that a mere mortal cannot understand it without having additional context". Details below.
On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server for the client to connect directly.
Slow down. You mention "your router" (=the Tik we are currently dealing with), "clients router" (the one which provides "your router" with internet access"), and now you come with "onsite router".
And I feel as if you freely mixed "L2" and "L2TP". So is the L2 tunnel from the bridge on "your router" to your office provided using the L2TP session where the Tik in your office is an L2TP client and "your router" is the L2TP server, or is there anything else? Because you say you have also
"an L2 server for the client to connect directly", which suggests that the L2TP server on "your router" serves only one of these purposes.
The PPPoE is for once there is no direct internet access from inside the network.
My English is not good enough to be sure what this sentence means. Do you want to say that although the general goal is to prevent devices connected to the LAN side of "your router" from accessing the internet, you plan to permit some exceptions, and that these "privileged" devices will have to use a PPPoE client in order to get internet access because that way you can authenticate them? If so, you'll need an additional permissive rule in the firewall filter, accepting forward traffic which either matches src-address
matching the /ip pool
used for PPPoE clients, or matches in-interface-list=some-nice-name
if you add interface-list=some-nice-name
to the property list of the /ppp profile
used for PPPoE clients.
The PPPoE server issues from a different pool as the hosts in the current range is near depletion.
I have no problem with assigning the remote-address
(the client's one) to PPPoE clients from another /ip pool
than to L2TP clients in L3 mode. What I don't understand is why you use a pool instead of a single address as local-address
as I suspect (but have never tried that) that it means that you assign a new address at "your router" for each client connection, i.e. that each client connection takes two IPs from the pool, instead of just one for the client.
Also, by using the same pool for the DHCP server on bridge and for L2TP clients in L3 mode you may spend two addresses from that pool per connected client, one for the L2TP client side of the L3 tunnel and another one if the L2 tunnel has a DHCP client at L2TP client side.
The last firewall filter rule is a default, does that not simply drop connections from the WAN side that are not NATed? Ah ok, but I suppose once you remove the "WAN" In interface it will drop packets on the LAN side as well, correct?
Correct. A default rule is appropriate when the rest of the configuration stays default too; once you customize the default configuration to your needs, there is no reason not to customize the firewall rules too. If it makes you feel better, copy the rule, modify one of them (replace the comment with the irritatng word "default" in it with a more appropriate one, and remove the in-interface=WAN
and just disable the original one instead of removing it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.